製品・ソフトウェアに関する情報

JVN脆弱性詳細

Cisco Smart Net Total Care Software Collector Appliance における SQL インジェクションの脆弱性

Title	Cisco Smart Net Total Care Software Collector Appliance における SQL インジェクションの脆弱性
Summary	Cisco Smart Net Total Care (SNTC) Software Collector Appliance には、SQL インジェクションの脆弱性が存在します。ベンダは、本脆弱性を Bug ID CSCvf07617 として公開しています。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 2, 2017, midnight
Registration Date	Sept. 5, 2017, 2:47 p.m.
Last Update	Sept. 5, 2017, 2:47 p.m.

Affected System

シスコシステムズ

Cisco Smart Net Total Care Software Collector Appliance 3.11

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-6754	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6754
National Vulnerability Database (NVD)
2	CVE-2017-6754	https://nvd.nist.gov/vuln/detail/CVE-2017-6754

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
Cisco Bug
1	CSCvd47888 - Cisco Adaptive Security Appliance Username Enumeration	https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd47888
Cisco Security Advisory
2	cisco-sa-20170802-sntc	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc

Change Log

No	Changed Details	Date of change
0	[2017年09月05日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-6754

Summary	A vulnerability in the web-based management interface of the Cisco Smart Net Total Care (SNTC) Software Collector Appliance 3.11 could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which could allow the attacker to compromise the confidentiality of the system through SQL timing attacks. The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used by the affected software to build SQL queries. An attacker could exploit this vulnerability by submitting crafted URLs, which are designed to exploit the vulnerability, to the affected software. To execute an attack successfully, the attacker would need to submit a number of requests to the affected software. A successful exploit could allow the attacker to determine the presence of values in the SQL database of the affected software. Cisco Bug IDs: CSCvf07617.
Publication Date	Aug. 7, 2017, 3:29 p.m.
Registration Date	Jan. 26, 2021, 1:27 p.m.
Last Update	Nov. 21, 2024, 12:30 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:cisco:smart_net_total_care_collector_appliance:3.11:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/100126	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/100126	Third Party Advisory VDB Entry
3	https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617	Vendor Advisory
4	https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617	Vendor Advisory
5	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc	Vendor Advisory
6	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html