Tuesday, 18 July 2017

On 00:31 by admin in    No comments
A vulnerability, which was classified as critical, has been found in Apache OpenMeetings 3.2.0. This issue affects an unknown function. The manipulation as part of a Parameter leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-269. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
The weakness was released 07/17/2017. The advisory is shared for download at markmail.org. The identification of this vulnerability is CVE-2017-7682since 04/11/2017. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 07/18/2017).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

CVSSv3

VulDB Base Score≈5.5
VulDB Temp Score≈5.5
VulDB VectorCVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
VulDB Reliability: Low

CVSSv2

VulDB Base Score≈4.1 (CVSS2#AV:A/AC:M/Au:S/C:P/I:P/A:P)
VulDB Temp Score≈4.1 (CVSS2#E:ND/RL:ND/RC:ND)
VulDB Reliability: Low


CPE
  • cpe:/a:apache:openmeetings:3.2.0

Exploiting

Class: Privilege escalation (CWE-269)
Local: Yes
Remote: No

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k
Countermeasures

Recommended: no mitigation known
0-Day Time: 0 days since found

Timeline

04/11/2017   CVE assigned
07/17/2017  +97 days Advisory disclosed
07/18/2017  +1 days VulDB entry created
07/18/2017  +0 days VulDB last update

Sources

Advisorymarkmail.org

CVE: CVE-2017-7682 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a comment