Vulnerability Details CVE-2017-8055
WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. A login request that contains a blank password sent to the XML-RPC agent in Fireware v11.12.1 and earlier returns different responses for valid and invalid usernames. An attacker could exploit this vulnerability to enumerate valid usernames on an affected Firebox.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 52.2%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000KlGSAU
- https://packetstormsecurity.com/files/142177/watchguardfbxtm-xxeinject.txt
- https://www.sidertia.com/Home/Community/Blog/2017/04/17/Fixed-the-Fireware-Vulnerabilities-discovered-by-Sidertia
- https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_2/index.html
- http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000KlGSAU
- https://packetstormsecurity.com/files/142177/watchguardfbxtm-xxeinject.txt
- https://www.sidertia.com/Home/Community/Blog/2017/04/17/Fixed-the-Fireware-Vulnerabilities-discovered-by-Sidertia
- https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_2/index.html
Products affected by CVE-2017-8055
-
cpe:2.3:o:watchguard:fireware:11.0.2
-
cpe:2.3:o:watchguard:fireware:11.1
-
cpe:2.3:o:watchguard:fireware:11.2.1