CVE-2017-9279 - OpenCVE

NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Netiq	Identity Manager

Configuration 1 [-]

cpe:2.3:a:netiq:identity_manager:*:*:*:*:*:*:*:*

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1049129
https://download.novell.com/Download?buildid=K7lbPAGJyIk~

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: microfocus

Published: 2017-09-11T00:00:00

Updated: 2021-01-06T16:15:51

Reserved: 2017-05-29T00:00:00

Link: CVE-2017-9279

JSON object: View

NVD Information

Status : Modified

Published: 2018-03-02T20:29:00.910

Modified: 2023-11-07T02:50:41.507

Link: CVE-2017-9279

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Identity Manager", "vendor": "NetIQ", "versions": [{"lessThan": "4.5.6.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2017-09-11T00:00:00", "descriptions": [{"lang": "en", "value": "NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Upload of files possible that could be misused for other purposes", "lang": "en", "type": "text"}]}, {"descriptions": [{"cweId": "CWE-434", "description": "CWE-434", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-06T16:15:51", "orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "microfocus"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1049129"}], "source": {"advisory": "2017-09-11", "defect": ["1049129"], "discovery": "EXTERNAL"}, "title": "NetIQ Identity Manager allowed uploading of user icons with incorrect types or extensions", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@microfocus.com", "DATE_PUBLIC": "2017-09-11T00:00:00.000Z", "ID": "CVE-2017-9279", "STATE": "PUBLIC", "TITLE": "NetIQ Identity Manager allowed uploading of user icons with incorrect types or extensions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Identity Manager", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "4.5.6.1"}]}}]}, "vendor_name": "NetIQ"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Upload of files possible that could be misused for other purposes"}]}, {"description": [{"lang": "eng", "value": "CWE-434"}]}]}, "references": {"reference_data": [{"name": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~", "refsource": "CONFIRM", "url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~"}, {"name": "https://bugzilla.suse.com/show_bug.cgi?id=1049129", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1049129"}]}, "source": {"advisory": "2017-09-11", "defect": ["1049129"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "assignerShortName": "microfocus", "cveId": "CVE-2017-9279", "datePublished": "2017-09-11T00:00:00", "dateReserved": "2017-05-29T00:00:00", "dateUpdated": "2021-01-06T16:15:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netiq:identity_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "B66D9825-C8A9-45E2-B932-BA2444FCA62E", "versionEndExcluding": "4.5.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users."}, {"lang": "es", "value": "NetIQ Identity Manager, en versiones anteriores a la 4.5.6.1, permit\u00eda la subida de archivos con doble extensi\u00f3n o contenido sin im\u00e1genes en la manipulaci\u00f3n de temas de User Application Administration. Esto permit\u00eda que usuarios administradores maliciosos ejecutasen c\u00f3digo o confundiesen a los usuarios."}], "id": "CVE-2017-9279", "lastModified": "2023-11-07T02:50:41.507", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 0.6, "impactScore": 1.4, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2018-03-02T20:29:00.910", "references": [{"source": "security@opentext.com", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1049129"}, {"source": "security@opentext.com", "url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@opentext.com", "type": "Secondary"}]}