CVE-2017-8051

CRITICAL

Tenable Appliance - OS Command Injection

Title source: rule

Description

Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.

Exploits (1)

exploitdb WORKING POC

by agix · bashremotelinux

https://www.exploit-db.com/exploits/41892

View Code ZIP pw:eip

References (3)

[Patch, Vendor Advisory] http://www.tenable.com/security/tns-2017-07

[Permissions Required] https://vulndb.cyberriskanalytics.com/153135

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/41892/

Scores

CVSS v3 9.8

EPSS 0.5306

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (11)

tenable/appliance 3.4.0

tenable/appliance 3.5.0

tenable/appliance 3.5.1

tenable/appliance 3.10.0

tenable/appliance 3.10.1

tenable/appliance 4.0.0

tenable/appliance 4.1.0

tenable/appliance 4.2.0

tenable/appliance 4.3.0

tenable/appliance 4.3.1

... and 1 more

Published Apr 21, 2017

Tracked Since Feb 18, 2026