Information Disclosure Vulnerability in OSNEXUS QuantaStor Virtual Appliance
CVE-2017-9978

5.3MEDIUM

Key Information:

Vendor

Osnexus

Status
Quantastor
Vendor
CVE Published:
28 August 2017

What is CVE-2017-9978?

On the OSNEXUS QuantaStor v4 virtual appliance prior to version 4.3.1, a security issue exists that can reveal system information about non-existent users. An attacker could exploit this flaw by analyzing the error messages returned when attempting to access accounts that do not exist on the platform. This could enable the attacker to enumerate valid usernames, potentially leading to further attacks against the system.

References

http://www.vvvsecurity.com/advisories/vvvsecurity-advisor...
x_refsource_MISC
https://www.exploit-db.com/exploits/42517/
exploitx_refsource_EXPLOIT-DB
http://seclists.org/fulldisclosure/2017/Aug/23
mailing-listx_refsource_FULLDISC

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.