CVE-2017-9812

HIGH

Kaspersky Anti-virus For Linux Server < 8.0.3.297 - Information Disclosure

Title source: rule

Description

The reportId parameter of the getReportStatus action method can be abused in the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312) to read arbitrary files with kluser privileges.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Core Security · textwebappslinux

https://www.exploit-db.com/exploits/42269

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.html

[Exploit, Mailing List, Third Party Advisory, VDB Entry] http://seclists.org/fulldisclosure/2017/Jun/33

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/99330

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038798

[Exploit, Third Party Advisory] https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilities

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/42269/

Scores

CVSS v3 7.5

EPSS 0.2717

EPSS Percentile 96.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (1)

kaspersky/anti-virus_for_linux_server < 8.0.3.297

Timeline

Published Jul 17, 2017

Tracked Since Feb 18, 2026