CVE-2017-12250

Severity Score

5.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the HTTP web interface for Cisco Wide Area Application Services (WAAS) could allow an unauthenticated, remote attacker to cause an HTTP Application Optimization (AO) related process to restart, causing a partial denial of service (DoS) condition. The vulnerability is due to lack of input validation of user-supplied input parameters within an HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request through the targeted device. An exploit could allow the attacker to cause a DoS condition due to a process unexpectedly restarting. The WAAS could drop traffic during the brief time the process is restarting. Cisco Bug IDs: CSCvc63048.

Una vulnerabilidad en la interfaz web HTTP para Cisco Wide Area Application Services (WAAS) podría permitir a un atacante remoto no autenticado provocar que un proceso HTTP relacionado con la optimización de aplicaciones se reinicie, provocando una denegación de servicio parcial. Esta vulnerabilidad se debe a la falta de validación de entrada de parámetros de entrada proporcionados por el usuario en una petición HTTP. Un atacante podría explotar esta vulnerabilidad mediante el envío de una petición HTTP manipulada al dispositivo objetivo. Su explotación podría permitir a un atacante provocar una denegación de servicio por el reinicio inesperado de un proceso. WAAS podría tener una caída de tráfico durante el breve período de tiempo en el que se reinicia el proceso. Cisco Bug IDs: CSCvc63048.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-03 CVE Reserved
2017-09-21 CVE Published
2023-04-17 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-399: Resource Management Errors

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/100928	Third Party Advisory
http://www.securitytracker.com/id/1039415	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-waas	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Wide Area Application Services Search vendor "Cisco" for product "Wide Area Application Services"				6.2\(3a\) Search vendor "Cisco" for product "Wide Area Application Services" and version "6.2\(3a\)"		-		Affected