CVE-2017-9491
CVSS V2 Medium 5
CVSS V3 Medium 5.3
Description
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST); Cisco DPC3941T (firmware version DPC3941_2.5s3_PROD_sey); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices does not set the secure flag for cookies in an https session to an administration application, which makes it easier for remote attackers to capture these cookies by intercepting their transmission within an http session.
Overview
- CVE ID
- CVE-2017-9491
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2017-07-31T03:29:00
- Last Modified Date
- 2021-09-13T11:30:59
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| AND | ||||
| cpe:2.3:o:cisco:dpc3939_firmware:dpc3939-p20-18-v303r20421733-160420a-cmcst:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:cisco:dpc3939:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:cisco:dpc3939_firmware:dpc3939-p20-18-v303r20421746-170221a-cmcst:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:cisco:dpc3939:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:cisco:dpc3939b_firmware:dpc3939b-v303r204217-150321a-cmcst:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:cisco:dpc3939b:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:cisco:dpc3941t_firmware:dpc3941_2.5s3_prod_sey:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:cisco:dpc3941t:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:commscope:arris_tg1682g_firmware:10.0.132.sip.pc20.ct:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:commscope:arris_tg1682g_firmware:tg1682_2.2p7s2_prod_sey:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:commscope:arris_tg1682g:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:N/C:P/I:N/A:N
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 5
- Severity
- MEDIUM
- Exploitability Score
- 10
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 5.3
- Base Severity
- MEDIUM
- Exploitability Score
- 3.9
- Impact Score
- 1.4
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-35.improper-cookie-flags.txt | Mitigation Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2017-9491 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9491 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 16:05:59 | Added to TrackCVE | |||
| 2022-12-02 19:12:28 | 2017-07-31T03:29Z | 2017-07-31T03:29:00 | CVE Published Date | updated |
| 2022-12-02 19:12:28 | 2021-09-13T11:30:59 | CVE Modified Date | updated | |
| 2022-12-02 19:12:28 | Analyzed | Vulnerability Status | updated |