Details of VAR-201404-0574

ID

VAR-201404-0574

CVE

CVE-2014-2137

TITLE

Cisco Web Security Appliance HTTP Header Injection Vulnerability

Trust: 0.9

sources: CNVD: CNVD-2014-02111 // BID: 66565

DESCRIPTION

CRLF injection vulnerability in the web framework in Cisco Web Security Appliance (WSA) 7.7 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct redirection attacks via a crafted URL, aka Bug ID CSCuj61002. This issue is tracked by Cisco BugId CSCuj61002. The appliance provides SaaS-based access control, real-time network reporting and tracking, and security policy formulation

Trust: 2.52

sources: NVD: CVE-2014-2137 // JVNDB: JVNDB-2014-001894 // CNVD: CNVD-2014-02111 // BID: 66565 // VULHUB: VHN-70076

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-02111

AFFECTED PRODUCTS

vendor:	cisco	model:	web security virtual appliance	scope:	lte	version:	7.7	Trust: 1.8
vendor:	cisco	model:	web security virtual appliance	scope:	eq	version:	7.1.2	Trust: 1.6
vendor:	cisco	model:	web security virtual appliance	scope:	eq	version:	7.1.4	Trust: 1.6
vendor:	cisco	model:	web security virtual appliance	scope:	eq	version:	7.5.0	Trust: 1.6
vendor:	cisco	model:	web security virtual appliance	scope:	eq	version:	7.1.3	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	web security virtual appliance	scope:	eq	version:	7.1.1	Trust: 1.6
vendor:	cisco	model:	web security virtual appliance	scope:	eq	version:	7.1.0	Trust: 1.6
vendor:	cisco	model:	web security virtual appliance	scope:	eq	version:	7.5.1	Trust: 1.6
vendor:	cisco	model:	web security the appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	web security appliance	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	web security virtual appliance	scope:	eq	version:	7.7	Trust: 0.6

sources: CNVD: CNVD-2014-02111 // JVNDB: JVNDB-2014-001894 // CNNVD: CNNVD-201404-032 // NVD: CVE-2014-2137

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2137
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2137
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-02111
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201404-032
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-70076
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-2137
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-02111
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-70076
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-02111 // VULHUB: VHN-70076 // JVNDB: JVNDB-2014-001894 // CNNVD: CNNVD-201404-032 // NVD: CVE-2014-2137

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-70076 // JVNDB: JVNDB-2014-001894 // NVD: CVE-2014-2137

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-032

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201404-032

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001894

PATCH

title:	Cisco WSA HTTP Header Injection Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2137	Trust: 0.8
title:	33608	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=33608	Trust: 0.8

sources: JVNDB: JVNDB-2014-001894

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2137	Trust: 3.4
db:	BID	id:	66565	Trust: 1.0
db:	JVNDB	id:	JVNDB-2014-001894	Trust: 0.8
db:	CNNVD	id:	CNNVD-201404-032	Trust: 0.7
db:	OSVDB	id:	105238	Trust: 0.6
db:	CNVD	id:	CNVD-2014-02111	Trust: 0.6
db:	SECUNIA	id:	57700	Trust: 0.6
db:	CISCO	id:	20140401 CISCO WSA HTTP HEADER INJECTION VULNERABILITY	Trust: 0.6
db:	VULHUB	id:	VHN-70076	Trust: 0.1

sources: CNVD: CNVD-2014-02111 // VULHUB: VHN-70076 // BID: 66565 // JVNDB: JVNDB-2014-001894 // CNNVD: CNNVD-201404-032 // NVD: CVE-2014-2137

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-2137	Trust: 2.3
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=33608	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2137	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2137	Trust: 0.8
url:	http://osvdb.com/show/osvdb/105238	Trust: 0.6
url:	http://secunia.com/advisories/57700	Trust: 0.6
url:	www.cisco.com	Trust: 0.3

sources: CNVD: CNVD-2014-02111 // VULHUB: VHN-70076 // BID: 66565 // JVNDB: JVNDB-2014-001894 // CNNVD: CNNVD-201404-032 // NVD: CVE-2014-2137

CREDITS

Cisco

Trust: 0.3

sources: BID: 66565

SOURCES

db:	CNVD	id:	CNVD-2014-02111
db:	VULHUB	id:	VHN-70076
db:	BID	id:	66565
db:	JVNDB	id:	JVNDB-2014-001894
db:	CNNVD	id:	CNNVD-201404-032
db:	NVD	id:	CVE-2014-2137

LAST UPDATE DATE

2024-11-23T22:39:02.552000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-02111	date:	2014-04-03T00:00:00
db:	VULHUB	id:	VHN-70076	date:	2014-04-02T00:00:00
db:	BID	id:	66565	date:	2014-04-02T07:18:00
db:	JVNDB	id:	JVNDB-2014-001894	date:	2014-04-03T00:00:00
db:	CNNVD	id:	CNNVD-201404-032	date:	2014-04-03T00:00:00
db:	NVD	id:	CVE-2014-2137	date:	2024-11-21T02:05:43.400

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-02111	date:	2014-04-03T00:00:00
db:	VULHUB	id:	VHN-70076	date:	2014-04-02T00:00:00
db:	BID	id:	66565	date:	2014-04-01T00:00:00
db:	JVNDB	id:	JVNDB-2014-001894	date:	2014-04-03T00:00:00
db:	CNNVD	id:	CNNVD-201404-032	date:	2014-04-03T00:00:00
db:	NVD	id:	CVE-2014-2137	date:	2014-04-02T03:58:17.123