{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2017-20217", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-15T17:44:02.111Z", "datePublished": "2026-03-15T18:34:24.635Z", "dateUpdated": "2026-03-16T14:20:18.020Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T18:34:24.635Z"}, "datePublic": "2017-05-03T00:00:00.000Z", "title": "Serviio PRO 1.8 REST API Information Disclosure", "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "affected": [{"vendor": "Serviio", "product": "Serviio PRO", "versions": [{"version": "1.8.0.0 PRO", "status": "affected"}, {"version": "1.7.1", "status": "affected"}, {"version": "1.7.0", "status": "affected"}, {"version": "1.6.1", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php", "name": "Zero Science Lab Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://blogs.securiteam.com/index.php/archives/3094", "name": "SecuriTeam Blogs", "tags": ["third-party-advisory"]}, {"url": "https://www.exploit-db.com/exploits/41958/", "name": "Exploit-DB", "tags": ["exploit"]}, {"url": "https://cxsecurity.com/issue/WLB-2017050022", "name": "CXSecurity", "tags": ["third-party-advisory"]}, {"url": "https://packetstormsecurity.com/files/142383", "name": "Packet Storm Security", "tags": ["exploit"]}, {"url": "http://www.securitylab.ru/poc/486048.php", "name": "SecurityLab", "tags": ["third-party-advisory"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125646", "name": "IBM X-Force Exchange", "tags": ["vdb-entry"]}, {"name": "VulnCheck Advisory: Serviio PRO 1.8 REST API Information Disclosure", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/serviio-pro-rest-api-information-disclosure"}], "credits": [{"lang": "en", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2017-20217", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:11:40.189061Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:20:18.020Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2017-20217", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:11:40.189061Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:17:17.753Z"}}], "cna": {"title": "Serviio PRO 1.8 REST API Information Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Serviio", "product": "Serviio PRO", "versions": [{"status": "affected", "version": "1.8.0.0 PRO"}, {"status": "affected", "version": "1.7.1"}, {"status": "affected", "version": "1.7.0"}, {"status": "affected", "version": "1.6.1"}]}], "datePublic": "2017-05-03T00:00:00.000Z", "references": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php", "name": "Zero Science Lab Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://blogs.securiteam.com/index.php/archives/3094", "name": "SecuriTeam Blogs", "tags": ["third-party-advisory"]}, {"url": "https://www.exploit-db.com/exploits/41958/", "name": "Exploit-DB", "tags": ["exploit"]}, {"url": "https://cxsecurity.com/issue/WLB-2017050022", "name": "CXSecurity", "tags": ["third-party-advisory"]}, {"url": "https://packetstormsecurity.com/files/142383", "name": "Packet Storm Security", "tags": ["exploit"]}, {"url": "http://www.securitylab.ru/poc/486048.php", "name": "SecurityLab", "tags": ["third-party-advisory"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125646", "name": "IBM X-Force Exchange", "tags": ["vdb-entry"]}, {"url": "https://www.vulncheck.com/advisories/serviio-pro-rest-api-information-disclosure", "name": "VulnCheck Advisory: Serviio PRO 1.8 REST API Information Disclosure", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T18:34:24.635Z"}}}, "cveMetadata": {"cveId": "CVE-2017-20217", "state": "PUBLISHED", "dateUpdated": "2026-03-16T14:20:18.020Z", "dateReserved": "2026-03-15T17:44:02.111Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-15T18:34:24.635Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication."}, {"lang": "es", "value": "Serviio PRO 1.8 contiene una vulnerabilidad de revelaci\u00f3n de informaci\u00f3n debido a una aplicaci\u00f3n inadecuada del control de acceso en la API REST de configuraci\u00f3n que permite a atacantes no autenticados acceder a informaci\u00f3n sensible. Atacantes remotos pueden enviar solicitudes especialmente dise\u00f1adas a los puntos finales de la API REST para recuperar datos de configuraci\u00f3n potencialmente sensibles sin autenticaci\u00f3n."}], "id": "CVE-2017-20217", "lastModified": "2026-04-15T14:56:45.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-16T14:17:51.090", "references": [{"source": "disclosure@vulncheck.com", "url": "http://www.securitylab.ru/poc/486048.php"}, {"source": "disclosure@vulncheck.com", "url": "https://blogs.securiteam.com/index.php/archives/3094"}, {"source": "disclosure@vulncheck.com", "url": "https://cxsecurity.com/issue/WLB-2017050022"}, {"source": "disclosure@vulncheck.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125646"}, {"source": "disclosure@vulncheck.com", "url": "https://packetstormsecurity.com/files/142383"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/41958/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/serviio-pro-rest-api-information-disclosure"}, {"source": "disclosure@vulncheck.com", "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.8.0.0 PRO"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.7.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.7.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.6.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Serviio PRO", "source": "cna", "vendor": "Serviio"}, "product": "serviio_pro", "vendor": "serviio"}], "analysis": {"en": {"generated_at": "2026-03-21T15:06:09.672961+00:00", "value": {"mitigation_remediation": ["Apply the most recent Serviio PRO patch that fixes the REST API information disclosure issue.", "Restrict network access to the REST API endpoints with firewall rules or by limiting them to trusted hosts.", "If the REST API is not required, disable or remove it from the configuration."], "summary": {"action": "Patch", "impact": "Remote Information Disclosure"}, "threat_synthesis": {"affected_systems": "The impacted product is Serviio PRO version 1.8 from the vendor Serviio; no other versions are listed as affected.", "description_and_impact": "Serviio PRO 1.8 contains a flaw in its Configuration REST API that allows unauthenticated attackers to send crafted requests and retrieve sensitive configuration data such as credentials and network settings, resulting in a compromise of confidentiality; the vulnerability is classified as CWE\u2011306, indicating an authorization bypass.", "risk_and_exploitability": "With a CVSS score of 8.7 the vulnerability is considered high severity, but its EPSS score of less than 1\u202f% suggests low likelihood of exploitation, and it is not listed in the CISA KEV catalog, yet the lack of authentication requirements means any remote host that can reach the REST API can obtain the disclosed information."}}}}, "created": "2026-03-16T09:21:04.643449+00:00", "updated": "2026-03-23T14:01:21.939619+00:00", "vendors": ["serviio", "serviio$PRODUCT$serviio_pro"]}