Sign-up

ID

VAR-201310-0521


CVE

CVE-2013-5538


TITLE

Cisco Identity Services Engine of Sponsor Portal Vulnerable to reading arbitrary files

Trust: 0.8

sources: JVNDB: JVNDB-2013-004728

DESCRIPTION

The Sponsor Portal in Cisco Identity Services Engine (ISE) uses weak permissions for uploaded files, which allows remote attackers to read arbitrary files via a direct request, aka Bug ID CSCui67506. Vendors report this vulnerability Bug ID CSCui67506 Published as.Arbitrary files may be read by third parties via direct requests. An attacker can exploit this issue to access arbitrary files in the context of the web server process, which may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCui67506. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.98

sources: NVD: CVE-2013-5538 // JVNDB: JVNDB-2013-004728 // BID: 63035 // VULHUB: VHN-65540

AFFECTED PRODUCTS

vendor:ciscomodel:identity services engine softwarescope:eqversion: -

Trust: 1.6

vendor:ciscomodel:identity services enginescope:eqversion: -

Trust: 1.0

vendor:ciscomodel:identity services enginescope: - version: -

Trust: 0.8

vendor:ciscomodel:identity services engine softwarescope:lteversion:1.2

Trust: 0.8

sources: JVNDB: JVNDB-2013-004728 // CNNVD: CNNVD-201310-319 // NVD: CVE-2013-5538

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-5538
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-5538
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201310-319
value: MEDIUM

Trust: 0.6

VULHUB: VHN-65540
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-5538
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-65540
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-65540 // JVNDB: JVNDB-2013-004728 // CNNVD: CNNVD-201310-319 // NVD: CVE-2013-5538

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-65540 // JVNDB: JVNDB-2013-004728 // NVD: CVE-2013-5538

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201310-319

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201310-319

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-004728

PATCH
title:Cisco Identity Services Engine Sponsor Portal File Access Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5538
Trust: 0.8
title:31280url:http://tools.cisco.com/security/center/viewAlert.x?alertId=31280
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-004728

EXTERNAL IDS
db:NVDid:CVE-2013-5538
Trust: 2.8
db:JVNDBid:JVNDB-2013-004728
Trust: 0.8
db:CISCOid:20131015 CISCO IDENTITY SERVICES ENGINE SPONSOR PORTAL FILE ACCESS VULNERABILITY
Trust: 0.6
db:CNNVDid:CNNVD-201310-319
Trust: 0.6
db:BIDid:63035
Trust: 0.4
db:VULHUBid:VHN-65540
Trust: 0.1
sources:
            
            
            VULHUB: VHN-65540 // 
            
            
            
            BID: 63035 // 
            
            
            
            JVNDB: JVNDB-2013-004728 // 
            
            
            
            CNNVD: CNNVD-201310-319 // 
            
            
            
            NVD: CVE-2013-5538

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-5538
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5538
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5538
Trust: 0.8
sources:
            
            
            VULHUB: VHN-65540 // 
            
            
            
            JVNDB: JVNDB-2013-004728 // 
            
            
            
            CNNVD: CNNVD-201310-319 // 
            
            
            
            NVD: CVE-2013-5538

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 63035

SOURCES
db:VULHUBid:VHN-65540
db:BIDid:63035
db:JVNDBid:JVNDB-2013-004728
db:CNNVDid:CNNVD-201310-319
db:NVDid:CVE-2013-5538

LAST UPDATE DATE
2024-11-23T23:09:55.642000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-65540date:2013-10-16T00:00:00
db:BIDid:63035date:2013-10-15T00:00:00
db:JVNDBid:JVNDB-2013-004728date:2013-10-18T00:00:00
db:CNNVDid:CNNVD-201310-319date:2013-10-17T00:00:00
db:NVDid:CVE-2013-5538date:2024-11-21T01:57:39.823

SOURCES RELEASE DATE
db:VULHUBid:VHN-65540date:2013-10-16T00:00:00
db:BIDid:63035date:2013-10-15T00:00:00
db:JVNDBid:JVNDB-2013-004728date:2013-10-18T00:00:00
db:CNNVDid:CNNVD-201310-319date:2013-10-17T00:00:00
db:NVDid:CVE-2013-5538date:2013-10-16T10:52:45.340