CVE-2017-12705 - OpenCVE

A Heap-Based Buffer Overflow issue was discovered in Advantech WebOP. A maliciously crafted project file may be able to trigger a heap-based buffer overflow, which may crash the process and allow an attacker to execute arbitrary code.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Advantech	Webop

Configuration 1 [-]

cpe:2.3:a:advantech:webop:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/99476	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-227-01	Issue Tracking Mitigation Third Party Advisory US Government Resource VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-10-25T07:00:00

Updated: 2017-10-25T09:57:01

Reserved: 2017-08-09T00:00:00

Link: CVE-2017-12705

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-10-25T07:29:00.227

Modified: 2017-11-14T15:08:54.063

Link: CVE-2017-12705

JSON object: View

Redhat Information

No data.

CWE

CWE-119

{"containers": {"cna": {"affected": [{"product": "Advantech WebOP", "vendor": "n/a", "versions": [{"status": "affected", "version": "Advantech WebOP"}]}], "datePublic": "2017-10-25T00:00:00", "descriptions": [{"lang": "en", "value": "A Heap-Based Buffer Overflow issue was discovered in Advantech WebOP. A maliciously crafted project file may be able to trigger a heap-based buffer overflow, which may crash the process and allow an attacker to execute arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "heap-based buffer overflow", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-25T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "99476", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99476"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-227-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-12705", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Advantech WebOP", "version": {"version_data": [{"version_value": "Advantech WebOP"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Heap-Based Buffer Overflow issue was discovered in Advantech WebOP. A maliciously crafted project file may be able to trigger a heap-based buffer overflow, which may crash the process and allow an attacker to execute arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "heap-based buffer overflow"}]}]}, "references": {"reference_data": [{"name": "99476", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99476"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-227-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-227-01"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-12705", "datePublished": "2017-10-25T07:00:00", "dateReserved": "2017-08-09T00:00:00", "dateUpdated": "2017-10-25T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advantech:webop:-:*:*:*:*:*:*:*", "matchCriteriaId": "F492C0B4-54CC-40BE-A367-1FD87DC51598", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Heap-Based Buffer Overflow issue was discovered in Advantech WebOP. A maliciously crafted project file may be able to trigger a heap-based buffer overflow, which may crash the process and allow an attacker to execute arbitrary code."}, {"lang": "es", "value": "Se ha descubierto un problema de desbordamiento de b\u00c3\u00bafer basado en memoria din\u00c3\u00a1mica (heap) en Advantech WebOP. Un archivo de proyecto manipulado con fines maliciosos puede desencadenar un desbordamiento de b\u00c3\u00bafer basado en memoria din\u00c3\u00a1mica (heap), lo que puede provocar el cierre inesperado del proceso y permitir que un atacante ejecute c\u00c3\u00b3digo arbitrario."}], "id": "CVE-2017-12705", "lastModified": "2017-11-14T15:08:54.063", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-25T07:29:00.227", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99476"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory", "US Government Resource", "VDB Entry"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-227-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}