PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5182 Novell CVE debrief

CVE-2017-5182 affects Remote Manager in Novell Open Enterprise Server (OES) for Linux. According to the CVE/NVD record, a specially crafted URL can let a remote attacker read arbitrary files without authentication, leading to complete information disclosure. NVD assigns CVSS 3.0 7.5 (High) with network access, no privileges, no user interaction, and high confidentiality impact. The CVE was published on 2017-01-23; NVD later modified the record on 2026-05-13.

Vendor
Novell
Product
CVE-2017-5182
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Administrators and security teams running Novell Open Enterprise Server on Linux, especially any environment that exposes Remote Manager beyond a trusted admin network. This matters most where OES hosts sensitive configuration, credentials, keys, or operational data that could be exposed through arbitrary file reads.

Technical summary

The official NVD record maps CVE-2017-5182 to CWE-22 (Path Traversal) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerable component is Remote Manager in OES, where a crafted URL can traverse directories and return the contents of arbitrary files. The source description lists affected versions as OES 2015 SP1 before Maintenance Update 11080, OES 2015 before Maintenance Update 11079, OES 11 SP3 before Maintenance Update 11078, and OES 11 SP2 before Maintenance Update 11077; NVD also lists vulnerable CPEs for OES 2.0, 2015, and 11.0 on Linux.

Defensive priority

High. This is a remote, unauthenticated disclosure flaw affecting an administrative service. Prioritize internet-facing or broadly reachable OES management endpoints, because the main risk is exposure of sensitive files rather than service interruption.

Recommended defensive actions

  • Apply the relevant Novell maintenance update for your OES release: 11080, 11079, 11078, or 11077, or a later fixed version.
  • Restrict access to Remote Manager so it is reachable only from trusted administrative networks or via VPN.
  • Inventory OES deployments on Linux and confirm whether any affected version remains in service.
  • Review Remote Manager access logs for unusual URL patterns or repeated file-read attempts.
  • If exposure is suspected, assess whether credentials, keys, or configuration files may have been read and rotate secrets as needed.
  • Use the Novell KB reference cited by NVD to validate vendor-specific remediation guidance for your environment.

Evidence notes

This debrief is based on the supplied CVE/NVD corpus only. The core facts come from the official NVD record: unauthenticated remote file read via directory traversal in OES Remote Manager, CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and CWE-22/CWE-200 mapping. The vendor reference cited by NVD is Novell KB 7018503, which supports the fix/version guidance. The CVE publish time used here is 2017-01-23, not the later NVD modification timestamp.

Official resources

Publicly disclosed on 2017-01-23 per the CVE/NVD record; the NVD entry was later modified on 2026-05-13.