CVE-2017-20049 - Vulnerability Details - OpenCVE

A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Axis	M3005 M3005 Firmware M3007 M3007 Firmware M3045 M3045 Firmware P1204 P1204 Firmware P3225 P3225 Firmware P3367 P3367 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:axis:p1204_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:axis:p1204:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:axis:p3225_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:axis:p3225:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:axis:p3367_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:axis:p3367:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:axis:m3045_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:axis:m3045:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:axis:m3005_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:axis:m3005:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:axis:m3007_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:axis:m3007:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.axis.com/dam/public/df/f3/dd/cve-2017-20049-en-US-376956.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: Axis

Published: 2022-06-15T17:35:25

Updated: 2024-08-05T21:45:25.224Z

Reserved: 2022-06-08T00:00:00

Link: CVE-2017-20049

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-06-15T18:15:08.470

Modified: 2024-11-21T03:22:31.257

Link: CVE-2017-20049

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "AXIS OS", "vendor": "n/a", "versions": [{"status": "affected", "version": "All firmware versions prior to 5.65"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely."}], "problemTypes": [{"descriptions": [{"description": "Boa web server runs as root in legacy devices", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-07T19:30:43", "orgId": "f2daf9a0-02c2-4b83-a01d-63b3b304b807", "shortName": "Axis"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.axis.com/dam/public/df/f3/dd/cve-2017-20049-en-US-376956.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "product-security@axis.com", "ID": "CVE-2017-20049", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AXIS OS", "version": {"version_data": [{"version_value": "All firmware versions prior to 5.65"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Boa web server runs as root in legacy devices"}]}]}, "references": {"reference_data": [{"name": "https://www.axis.com/dam/public/df/f3/dd/cve-2017-20049-en-US-376956.pdf", "refsource": "MISC", "url": "https://www.axis.com/dam/public/df/f3/dd/cve-2017-20049-en-US-376956.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T21:45:25.224Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.axis.com/dam/public/df/f3/dd/cve-2017-20049-en-US-376956.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "f2daf9a0-02c2-4b83-a01d-63b3b304b807", "assignerShortName": "Axis", "cveId": "CVE-2017-20049", "datePublished": "2022-06-15T17:35:25", "dateReserved": "2022-06-08T00:00:00", "dateUpdated": "2024-08-05T21:45:25.224Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:axis:p1204_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D80172CB-9700-4FCA-A51C-8E7C09612ECE", "versionEndIncluding": "5.50.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:axis:p1204:-:*:*:*:*:*:*:*", "matchCriteriaId": "339417CD-0D80-4A41-8594-380BBFFC38FD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:axis:p3225_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B92C5ECB-3494-4E52-BC13-DA76892AF752", "versionEndIncluding": "6.30.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:axis:p3225:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C2A7B73-4702-41F9-9B14-284E8DE3ECDB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:axis:p3367_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C001DC0F-EA8D-4E3C-9166-6CB01137B8B9", "versionEndIncluding": "6.10.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:axis:p3367:-:*:*:*:*:*:*:*", "matchCriteriaId": "CF90F760-DEFC-4127-BA83-A60BB13F8721", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:axis:m3045_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8B93415-A82C-405A-8DE4-A69C6876C1DB", "versionEndIncluding": "6.15.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:axis:m3045:-:*:*:*:*:*:*:*", "matchCriteriaId": "8E3060B6-71ED-4A15-A2FD-F9BC004930F6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:axis:m3005_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8E31A7F-CC9E-4284-8D4E-6C07923FBDF8", "versionEndIncluding": "5.50.5.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:axis:m3005:-:*:*:*:*:*:*:*", "matchCriteriaId": "725FBF6F-3736-4897-8AFE-1DE6B6D5EB5F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:axis:m3007_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FA6C9CF-EE9C-4E19-AEFB-13D8FC581A85", "versionEndIncluding": "6.30.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:axis:m3007:-:*:*:*:*:*:*:*", "matchCriteriaId": "5E4906C0-26D8-45B6-A5FC-4FADE7973781", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en los dispositivos Axis heredados, como el P3225 y el M3005. Esto afecta a una parte desconocida del componente CGI Script. La manipulaci\u00f3n conduce a una gesti\u00f3n inadecuada de los privilegios. Es posible iniciar el ataque de forma remota"}], "id": "CVE-2017-20049", "lastModified": "2024-11-21T03:22:31.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-15T18:15:08.470", "references": [{"source": "product-security@axis.com", "url": "https://www.axis.com/dam/public/df/f3/dd/cve-2017-20049-en-US-376956.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.axis.com/dam/public/df/f3/dd/cve-2017-20049-en-US-376956.pdf"}], "sourceIdentifier": "product-security@axis.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}