CVE-2017-12287

Severity Score

4.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the cluster database (CDB) management component of Cisco Expressway Series Software and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to cause the CDB process on an affected system to restart unexpectedly, resulting in a temporary denial of service (DoS) condition. The vulnerability is due to incomplete input validation of URL requests by the REST API of the affected software. An attacker could exploit this vulnerability by sending a crafted URL to the REST API of the affected software on an affected system. A successful exploit could allow the attacker to cause the CDB process on the affected system to restart unexpectedly, resulting in a temporary DoS condition. Cisco Bug IDs: CSCve77571.

Una vulnerabilidad en el componente de gestión de bases de datos de clúster (CBD) del software Cisco Expressway Series y el software Cisco TelePresence Video Communication Server (VCS) podría permitir que un atacante autenticado remoto provocase que el proceso de CBD en un sistema afectado se reiniciase de manera inesperada, lo que daría lugar a una condición de denegación de servicio (DoS) temporal. Esta vulnerabilidad también se debe a la validación incompleta de peticiones URL por la API REST del software afectado. Un atacante podría explotar esta vulnerabilidad mediante el envío de una URL a la API REST del software afectado del sistema afectado. Un exploit con éxito podría permitir que el atacante provoque el reinicio inesperado del proceso CBD en el sistema afectado, lo que daría como resultado una condición de DoS temporal. Cisco Bug IDs: CSCve77571.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-03 CVE Reserved
2017-10-19 CVE Published
2023-03-12 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-399: Resource Management Errors

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/101525	Third Party Advisory
http://www.securitytracker.com/id/1039626	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-expressway-tp-vcs	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Expressway Search vendor "Cisco" for product "Expressway"				*		-		Affected
Cisco Search vendor "Cisco"		Telepresence Conductor Search vendor "Cisco" for product "Telepresence Conductor"				*		-		Affected
Cisco Search vendor "Cisco"		Telepresence Video Communication Server Search vendor "Cisco" for product "Telepresence Video Communication Server"				*		-		Affected