Wednesday, 26 July 2017

On 01:09 by admin in    No comments
A vulnerability was found in AppUse 4.0. It has been declared as critical. Affected by this vulnerability is an unknown function. The manipulation of the argument proxy with an unknown input leads to a privilege escalation vulnerability (Shell). The CWE definition for the vulnerability is CWE-269. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
AppUse 4.0 allows shell command injection via a proxy field.
The weakness was disclosed 07/25/2017. This vulnerability is known as CVE-2017-11566 since 07/23/2017. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

CVSSv3

VulDB Base Score≈5.5
VulDB Temp Score≈5.5
VulDB VectorCVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
VulDB Reliability: Low

CVSSv2

VulDB Base Score≈4.1 (CVSS2#AV:A/AC:M/Au:S/C:P/I:P/A:P)
VulDB Temp Score≈4.1 (CVSS2#E:ND/RL:ND/RC:ND)
VulDB Reliability: Low

CPE

  • cpe:/a:appuse:appuse:4.0

Exploiting

Class: Privilege escalation / Shell (CWE-269)
Local: Yes
Remote: No

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k

Countermeasures

Recommended: no mitigation known
0-Day Time: 0 days since found

Timeline

07/23/2017   CVE assigned
07/25/2017  +2 days Advisory disclosed
07/26/2017  +1 days VulDB entry created
07/26/2017  +0 days VulDB last update

Sources

CVE: CVE-2017-11566 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a comment