NVD Vulnerability Detail

CVE-2017-7240

Summary	An issue was discovered on Miele Professional PST10 devices. The corresponding embedded webserver "PST10 WebServer" typically listens to port 80 and is prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. A Proof of Concept is GET /../../../../../../../../../../../../etc/shadow HTTP/1.1. This affects PG8527 devices 2.02 before 2.12, PG8527 devices 2.51 before 2.61, PG8527 devices 2.52 before 2.62, PG8527 devices 2.54 before 2.64, PG8528 devices 2.02 before 2.12, PG8528 devices 2.51 before 2.61, PG8528 devices 2.52 before 2.62, PG8528 devices 2.54 before 2.64, PG8535 devices 1.00 before 1.10, PG8535 devices 1.04 before 1.14, PG8536 devices 1.10 before 1.20, and PG8536 devices 1.14 before 1.24.
Publication Date	March 25, 2017, 12:59 a.m.
Registration Date	Jan. 26, 2021, 1:28 p.m.
Last Update	Nov. 21, 2024, 12:31 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:miele_professional:pst10_webserver:-:::::::*
execution environment
1	cpe:2.3:h:miele_professional:pg_8528:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/fulldisclosure/2017/Mar/63	Exploit Third Party Advisory VDB Entry
2	http://seclists.org/fulldisclosure/2017/Mar/63	Exploit Third Party Advisory VDB Entry
3	http://www.securityfocus.com/bid/97080
4	http://www.securityfocus.com/bid/97080
5	https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01
6	https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01
7	https://www.exploit-db.com/exploits/41718/
8	https://www.exploit-db.com/exploits/41718/
9	https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm
10	https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

JVN Vulnerability Information

Miele Professional PG 8528 の PST10 デバイスにおけるパストラバーサルの脆弱性

Title	Miele Professional PG 8528 の PST10 デバイスにおけるパストラバーサルの脆弱性
Summary	Miele Professional PG 8528 の PST10 デバイスには、パストラバーサルの脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	March 24, 2017, midnight
Registration Date	April 25, 2017, 4:26 p.m.
Last Update	Sept. 11, 2017, 8:49 a.m.

Affected System

Miele Corporate

PST10 WebServer (PG 8528)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-7240	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7240
National Vulnerability Database (NVD)
2	CVE-2017-7240	https://nvd.nist.gov/vuln/detail/CVE-2017-7240

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
Miele Corporate
1	PG 8528	https://www.miele.co.uk/professional/large-capacity-washer-disinfectors-560.htm?mat=10339600&name=PG_8528

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-17-138-01	https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01
関連文書
2	[CVE-2017-7240] Miele Professional PG 8528 - Web Server Directory Traversal	http://seclists.org/fulldisclosure/2017/Mar/63

Change Log

No	Changed Details	Date of change
0	[2017年04月25日] 掲載 [2017年09月11日] 参考情報：ICS-CERT ADVISORY (ICSA-17-138-01) を追加	Feb. 17, 2018, 10:37 a.m.