CVE-2017-6712

Published: Jul 6, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server. The vulnerability occurs because a "tomcat" user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. This vulnerability affects Cisco Elastic Services Controller prior to releases 2.3.1.434 and 2.3.2. Cisco Bug IDs: CSCvc76634.

Affected (6)

Products: Cisco: Elastic Services Controller

Cisco

1 product

Elastic Services Controller

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Cisco Elastic Services Controller	Version 1.0.0
Cisco Elastic Services Controller	Version 1.1.0
Cisco Elastic Services Controller	Version 2.0
Cisco Elastic Services Controller	Version 2.1.0
Cisco Elastic Services Controller	Version 2.2.0
Cisco Elastic Services Controller	Version 2.3.0

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

http://www.securityfocus.com/bid/99461

Source: psirt@cisco.com

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc1

Source: psirt@cisco.com

Vendor Advisory

http://www.securityfocus.com/bid/99461

Source: af854a3a-2127-422b-91ae-364da2661108

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc1

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.