CVE-2017-20217

Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.securitylab.ru/poc/486048.php
https://blogs.securiteam.com/index.php/archives/3094
https://cxsecurity.com/issue/WLB-2017050022
https://exchange.xforce.ibmcloud.com/vulnerabilities/125646
https://packetstormsecurity.com/files/142383
https://www.exploit-db.com/exploits/41958/
https://www.vulncheck.com/advisories/serviio-pro-rest-api-information-disclosure
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php

Configurations

No configuration.

History

15 Apr 2026, 14:56

Type	Values Removed	Values Added
Summary		(es) Serviio PRO 1.8 contiene una vulnerabilidad de revelación de información debido a una aplicación inadecuada del control de acceso en la API REST de configuración que permite a atacantes no autenticados acceder a información sensible. Atacantes remotos pueden enviar solicitudes especialmente diseñadas a los puntos finales de la API REST para recuperar datos de configuración potencialmente sensibles sin autenticación.

16 Mar 2026, 14:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 14:17

Updated : 2026-04-15 14:56

NVD link : CVE-2017-20217

Mitre link : CVE-2017-20217

CVE.ORG link : CVE-2017-20217

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2017-20217", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-16T14:17:51.090", "references": [{"url": "http://www.securitylab.ru/poc/486048.php", "source": "disclosure@vulncheck.com"}, {"url": "https://blogs.securiteam.com/index.php/archives/3094", "source": "disclosure@vulncheck.com"}, {"url": "https://cxsecurity.com/issue/WLB-2017050022", "source": "disclosure@vulncheck.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125646", "source": "disclosure@vulncheck.com"}, {"url": "https://packetstormsecurity.com/files/142383", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/41958/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/serviio-pro-rest-api-information-disclosure", "source": "disclosure@vulncheck.com"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication."}, {"lang": "es", "value": "Serviio PRO 1.8 contiene una vulnerabilidad de revelaci\u00f3n de informaci\u00f3n debido a una aplicaci\u00f3n inadecuada del control de acceso en la API REST de configuraci\u00f3n que permite a atacantes no autenticados acceder a informaci\u00f3n sensible. Atacantes remotos pueden enviar solicitudes especialmente dise\u00f1adas a los puntos finales de la API REST para recuperar datos de configuraci\u00f3n potencialmente sensibles sin autenticaci\u00f3n."}], "lastModified": "2026-04-15T14:56:45.970", "sourceIdentifier": "disclosure@vulncheck.com"}