Sign-up

ID

VAR-201408-0161


CVE

CVE-2014-3338


TITLE

Cisco Unified Communications Manager of CTIManager Vulnerability gained in modules

Trust: 0.8

sources: JVNDB: JVNDB-2014-003797

DESCRIPTION

The CTIManager module in Cisco Unified Communications Manager (CM) 10.0(1), when single sign-on is enabled, does not properly validate Kerberos SSO tokens, which allows remote authenticated users to gain privileges and execute arbitrary commands via crafted token data, aka Bug ID CSCum95491. Cisco Unified Communications Manager is prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input. Successfully exploiting this issue may allow an attacker to execute arbitrary commands in context of the affected application. This issue is being tracked by Cisco bug ID CSCum95491. Cisco Unified Communications Manager (CUCM, Unified CM, CallManager) is a call processing component in a unified communication system of Cisco (Cisco). This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. There is a security vulnerability in the CTIManager module of Cisco Unified CM version 10.0(1)

Trust: 1.98

sources: NVD: CVE-2014-3338 // JVNDB: JVNDB-2014-003797 // BID: 69176 // VULHUB: VHN-71278

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:10.0\(1\)

Trust: 1.6

vendor:ciscomodel:unified communications managerscope:eqversion:10.0(1)

Trust: 0.8

sources: JVNDB: JVNDB-2014-003797 // CNNVD: CNNVD-201408-223 // NVD: CVE-2014-3338

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3338
value: HIGH

Trust: 1.0

NVD: CVE-2014-3338
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201408-223
value: HIGH

Trust: 0.6

VULHUB: VHN-71278
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-3338
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-71278
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-71278 // JVNDB: JVNDB-2014-003797 // CNNVD: CNNVD-201408-223 // NVD: CVE-2014-3338

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-71278 // JVNDB: JVNDB-2014-003797 // NVD: CVE-2014-3338

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201408-223

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201408-223

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003797

PATCH
title:Cisco Unified Communications Manager CTIManager Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3338
Trust: 0.8
title:35258url:http://tools.cisco.com/security/center/viewAlert.x?alertId=35258
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-003797

EXTERNAL IDS
db:NVDid:CVE-2014-3338
Trust: 2.8
db:BIDid:69176
Trust: 1.4
db:SECTRACKid:1030710
Trust: 1.1
db:SECUNIAid:60054
Trust: 1.1
db:JVNDBid:JVNDB-2014-003797
Trust: 0.8
db:CNNVDid:CNNVD-201408-223
Trust: 0.7
db:VULHUBid:VHN-71278
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71278 // 
            
            
            
            BID: 69176 // 
            
            
            
            JVNDB: JVNDB-2014-003797 // 
            
            
            
            CNNVD: CNNVD-201408-223 // 
            
            
            
            NVD: CVE-2014-3338

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-3338
Trust: 1.7
url:http://tools.cisco.com/security/center/viewalert.x?alertid=35258
Trust: 1.7
url:http://www.securityfocus.com/bid/69176
Trust: 1.1
url:http://www.securitytracker.com/id/1030710
Trust: 1.1
url:http://secunia.com/advisories/60054
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/95246
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3338
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3338
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:http://www.cisco.com/en/us/products/ps7060/index.html
Trust: 0.3
sources:
            
            
            VULHUB: VHN-71278 // 
            
            
            
            BID: 69176 // 
            
            
            
            JVNDB: JVNDB-2014-003797 // 
            
            
            
            CNNVD: CNNVD-201408-223 // 
            
            
            
            NVD: CVE-2014-3338

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 69176

SOURCES
db:VULHUBid:VHN-71278
db:BIDid:69176
db:JVNDBid:JVNDB-2014-003797
db:CNNVDid:CNNVD-201408-223
db:NVDid:CVE-2014-3338

LAST UPDATE DATE
2024-11-23T22:08:18.575000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-71278date:2017-08-29T00:00:00
db:BIDid:69176date:2014-08-12T16:53:00
db:JVNDBid:JVNDB-2014-003797date:2014-08-15T00:00:00
db:CNNVDid:CNNVD-201408-223date:2014-08-14T00:00:00
db:NVDid:CVE-2014-3338date:2024-11-21T02:07:53.690

SOURCES RELEASE DATE
db:VULHUBid:VHN-71278date:2014-08-12T00:00:00
db:BIDid:69176date:2014-08-11T00:00:00
db:JVNDBid:JVNDB-2014-003797date:2014-08-15T00:00:00
db:CNNVDid:CNNVD-201408-223date:2014-08-14T00:00:00
db:NVDid:CVE-2014-3338date:2014-08-12T23:55:03.907