Details of VAR-201402-0209

ID

VAR-201402-0209

CVE

CVE-2014-0731

TITLE

Cisco Unified Communications Manager Vulnerabilities that bypass authentication in the management interface

Trust: 0.8

sources: JVNDB: JVNDB-2014-001454

DESCRIPTION

The administration interface in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to bypass authentication and read Java class files via a direct request, aka Bug ID CSCum46497. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. This issue is being tracked by Cisco BugId CSCum46497. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.98

sources: NVD: CVE-2014-0731 // JVNDB: JVNDB-2014-001454 // BID: 65644 // VULHUB: VHN-68224

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.3	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.3sr2b	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.1	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)sr4	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.3	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.3sr1	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.3sr2	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)sr3	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.2	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	3.3\(5\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	3.3\(5\)sr2a	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	3.3\(5\)sr1	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lte	version:	10.0\(1\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)sr2	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	10.0	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)sr1	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lte	version:	10.0(1)	Trust: 0.8

sources: JVNDB: JVNDB-2014-001454 // CNNVD: CNNVD-201402-321 // NVD: CVE-2014-0731

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0731
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-0731
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201402-321
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-68224
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-0731
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-68224
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-68224 // JVNDB: JVNDB-2014-001454 // CNNVD: CNNVD-201402-321 // NVD: CVE-2014-0731

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-68224 // JVNDB: JVNDB-2014-001454 // NVD: CVE-2014-0731

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-321

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201402-321

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001454

PATCH

title:	Cisco Unified Communications Manager Java Class File Availability Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0731	Trust: 0.8
title:	32915	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=32915	Trust: 0.8

sources: JVNDB: JVNDB-2014-001454

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0731	Trust: 2.8
db:	JVNDB	id:	JVNDB-2014-001454	Trust: 0.8
db:	CNNVD	id:	CNNVD-201402-321	Trust: 0.7
db:	CISCO	id:	20140218 CISCO UNIFIED COMMUNICATIONS MANAGER JAVA CLASS FILE AVAILABILITY VULNERABILITY	Trust: 0.6
db:	BID	id:	65644	Trust: 0.4
db:	VULHUB	id:	VHN-68224	Trust: 0.1

sources: VULHUB: VHN-68224 // BID: 65644 // JVNDB: JVNDB-2014-001454 // CNNVD: CNNVD-201402-321 // NVD: CVE-2014-0731

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-0731	Trust: 1.7
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=32915	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0731	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0731	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-68224 // BID: 65644 // JVNDB: JVNDB-2014-001454 // CNNVD: CNNVD-201402-321 // NVD: CVE-2014-0731

CREDITS

Cisco

Trust: 0.3

sources: BID: 65644

SOURCES

db:	VULHUB	id:	VHN-68224
db:	BID	id:	65644
db:	JVNDB	id:	JVNDB-2014-001454
db:	CNNVD	id:	CNNVD-201402-321
db:	NVD	id:	CVE-2014-0731

LAST UPDATE DATE

2024-11-23T22:31:20.770000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-68224	date:	2016-09-09T00:00:00
db:	BID	id:	65644	date:	2014-02-21T02:20:00
db:	JVNDB	id:	JVNDB-2014-001454	date:	2014-02-25T00:00:00
db:	CNNVD	id:	CNNVD-201402-321	date:	2014-02-26T00:00:00
db:	NVD	id:	CVE-2014-0731	date:	2024-11-21T02:02:42.357

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-68224	date:	2014-02-22T00:00:00
db:	BID	id:	65644	date:	2014-02-18T00:00:00
db:	JVNDB	id:	JVNDB-2014-001454	date:	2014-02-25T00:00:00
db:	CNNVD	id:	CNNVD-201402-321	date:	2014-02-26T00:00:00
db:	NVD	id:	CVE-2014-0731	date:	2014-02-22T21:55:09.670