CVE-2017-20217

| EUVD-2017-18928 HIGH
2026-03-15 VulnCheck
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2017-18928
CVE Published
Mar 15, 2026 - 18:34 nvd
HIGH 7.5

Tags

Information Disclosure Authentication Bypass Serviio Pro

Description

Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication.

Analysis

An information disclosure vulnerability in Serviio PRO 1.8 and earlier versions allows unauthenticated remote attackers to retrieve sensitive configuration data through the Configuration REST API due to missing authentication controls. Multiple public exploits are available, with proof-of-concept code published on Exploit-DB and PacketStorm, making this vulnerability easily exploitable by attackers with no special privileges or user interaction required.

Technical Context

Serviio PRO is a media streaming server software that implements a REST API for configuration management. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the REST API endpoints fail to enforce authentication checks before serving configuration data. The affected versions include Serviio PRO 1.6.1, 1.7.0, 1.7.1, and 1.8.0.0 PRO as identified by CPE cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:*. The REST API, designed for administrative configuration, inadvertently exposes sensitive server settings to any network-accessible attacker.

Affected Products

Serviio PRO versions 1.6.1, 1.7.0, 1.7.1, and 1.8.0.0 PRO are confirmed vulnerable based on EUVD data. The CPE identifier cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:* indicates all versions may be affected, though specific testing confirms the versions listed. The vulnerability affects the Configuration REST API component specifically, which is typically exposed on the same port as the web interface.

Remediation

Upgrade to Serviio PRO version newer than 1.8.0.0 if available. As an immediate workaround, restrict network access to the Serviio PRO REST API using firewall rules or access control lists to limit exposure to trusted networks only. Consider implementing a reverse proxy with authentication in front of the Serviio service. Monitor for unauthorized access attempts to REST API endpoints. The ZeroScience advisory (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php) may contain additional vendor-specific guidance.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: +20

Share

CVE-2017-20217 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy