Vulnerabilities > CVE-2017-8055 - Information Exposure Through Discrepancy vulnerability in Watchguard Fireware 11.0.2/11.1/11.2.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. A login request that contains a blank password sent to the XML-RPC agent in Fireware v11.12.1 and earlier returns different responses for valid and invalid usernames. An attacker could exploit this vulnerability to enumerate valid usernames on an affected Firebox.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 3 |
Common Weakness Enumeration (CWE)
References
- https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_2/index.html
- https://www.sidertia.com/Home/Community/Blog/2017/04/17/Fixed-the-Fireware-Vulnerabilities-discovered-by-Sidertia
- https://packetstormsecurity.com/files/142177/watchguardfbxtm-xxeinject.txt
- http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000KlGSAU