{"api_version":"1","generated_at":"2026-04-23T02:57:15+00:00","cve":"CVE-2017-15103","urls":{"html":"https://cve.report/CVE-2017-15103","api":"https://cve.report/api/cve/CVE-2017-15103.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-15103","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-15103"},"summary":{"title":"CVE-2017-15103","description":"A security-check flaw was found in the way the Heketi 5 server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2017-12-18 19:29:00","updated_at":"2023-02-12 23:28:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1510147","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1510147","refsource":"CONFIRM","tags":["Issue Tracking","Patch"],"title":"Bug 1510147 – CVE-2017-15103 heketi: OS command injection in heketi API","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/CVE-2017-15103","name":"https://access.redhat.com/security/cve/CVE-2017-15103","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2017:3481","name":"RHSA-2017:3481","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-15103","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15103","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"15103","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"heketi_project","cpe5":"heketi","cpe6":"5.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15103","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"heketi_project","cpe5":"heketi","cpe6":"5.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15103","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"15103","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2017-15103","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A security-check flaw was found in the way the Heketi 5 server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-78","cweId":"CWE-78"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Heketi","product":{"product_data":[{"product_name":"Heketi","version":{"version_data":[{"version_affected":"=","version_value":"5.0"}]}}]}}]}},"references":{"reference_data":[{"url":"https://access.redhat.com/errata/RHSA-2017:3481","refsource":"MISC","name":"https://access.redhat.com/errata/RHSA-2017:3481"},{"url":"https://access.redhat.com/security/cve/CVE-2017-15103","refsource":"MISC","name":"https://access.redhat.com/security/cve/CVE-2017-15103"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1510147","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1510147"}]}},"nvd":{"publishedDate":"2017-12-18 19:29:00","lastModifiedDate":"2023-02-12 23:28:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9},"severity":"HIGH","exploitabilityScore":8,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:heketi_project:heketi:5.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"15103","Ordinal":"112605","Title":"CVE-2017-15103","CVE":"CVE-2017-15103","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"15103","Ordinal":"1","NoteData":"A security-check flaw was found in the way the Heketi 5 server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"15103","Ordinal":"2","NoteData":"2017-12-18","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"15103","Ordinal":"3","NoteData":"2017-12-19","Type":"Other","Title":"Modified"}]}}}