Details of VAR-201502-0119

ID

VAR-201502-0119

CVE

CVE-2015-0580

TITLE

Cisco Secure Access Control System SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-01137 // CNNVD: CNNVD-201502-265

DESCRIPTION

Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System (ACS) before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027. Vendors have confirmed this vulnerability Bug ID CSCuq79027 It is released as.Crafted by a remotely authenticated administrator HTTPS Any via request SQL The command may be executed. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization. An attacker could exploit this vulnerability to compromise an application, accessing or modifying data. This issue is tracked by Cisco Bug ID CSCuq79027. The system can respectively control network access and network device access through RADIUS and TACACS protocols

Trust: 2.52

sources: NVD: CVE-2015-0580 // JVNDB: JVNDB-2015-001485 // CNVD: CNVD-2015-01137 // BID: 72576 // VULHUB: VHN-78526

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-01137

AFFECTED PRODUCTS

vendor:	cisco	model:	secure access control system	scope:	lte	version:	5.5.0.46	Trust: 1.0
vendor:	cisco	model:	secure access control system software	scope:	lt	version:	5.5 patch 7	Trust: 0.8
vendor:	cisco	model:	secure access control system	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.5.0.46	Trust: 0.6

sources: CNVD: CNVD-2015-01137 // JVNDB: JVNDB-2015-001485 // CNNVD: CNNVD-201502-265 // NVD: CVE-2015-0580

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-0580
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-0580
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-01137
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201502-265
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-78526
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-0580
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-01137
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-78526
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-01137 // VULHUB: VHN-78526 // JVNDB: JVNDB-2015-001485 // CNNVD: CNNVD-201502-265 // NVD: CVE-2015-0580

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-78526 // JVNDB: JVNDB-2015-001485 // NVD: CVE-2015-0580

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-265

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201502-265

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001485

PATCH

title:	cisco-sa-20150211-csacs	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs	Trust: 0.8
title:	37354	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=37354	Trust: 0.8
title:	cisco-sa-20150211-csacs	url:	http://www.cisco.com/cisco/web/support/JP/112/1128/1128310_cisco-sa-20150211-csacs-j.html	Trust: 0.8
title:	Patch for Cisco Secure Access Control System SQL Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/55392	Trust: 0.6

sources: CNVD: CNVD-2015-01137 // JVNDB: JVNDB-2015-001485

EXTERNAL IDS

db:	NVD	id:	CVE-2015-0580	Trust: 3.4
db:	BID	id:	72576	Trust: 2.0
db:	SECTRACK	id:	1031740	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-001485	Trust: 0.8
db:	CNNVD	id:	CNNVD-201502-265	Trust: 0.7
db:	CNVD	id:	CNVD-2015-01137	Trust: 0.6
db:	VULHUB	id:	VHN-78526	Trust: 0.1

sources: CNVD: CNVD-2015-01137 // VULHUB: VHN-78526 // BID: 72576 // JVNDB: JVNDB-2015-001485 // CNNVD: CNNVD-201502-265 // NVD: CVE-2015-0580

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20150211-csacs	Trust: 1.7
url:	http://www.securityfocus.com/bid/72576	Trust: 1.1
url:	http://www.securitytracker.com/id/1031740	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/100812	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0580	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0580	Trust: 0.8
url:	http://www.securityfocus.com/bid/72576/info	Trust: 0.6
url:	http://www.cisco.com	Trust: 0.3

sources: CNVD: CNVD-2015-01137 // VULHUB: VHN-78526 // BID: 72576 // JVNDB: JVNDB-2015-001485 // CNNVD: CNNVD-201502-265 // NVD: CVE-2015-0580

CREDITS

Lukasz Plonka from ING Services Polska

Trust: 0.3

sources: BID: 72576

SOURCES

db:	CNVD	id:	CNVD-2015-01137
db:	VULHUB	id:	VHN-78526
db:	BID	id:	72576
db:	JVNDB	id:	JVNDB-2015-001485
db:	CNNVD	id:	CNNVD-201502-265
db:	NVD	id:	CVE-2015-0580

LAST UPDATE DATE

2024-11-23T22:34:59.689000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-01137	date:	2015-02-13T00:00:00
db:	VULHUB	id:	VHN-78526	date:	2017-09-08T00:00:00
db:	BID	id:	72576	date:	2015-03-19T08:05:00
db:	JVNDB	id:	JVNDB-2015-001485	date:	2015-02-17T00:00:00
db:	CNNVD	id:	CNNVD-201502-265	date:	2015-02-12T00:00:00
db:	NVD	id:	CVE-2015-0580	date:	2024-11-21T02:23:21.360

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-01137	date:	2015-02-13T00:00:00
db:	VULHUB	id:	VHN-78526	date:	2015-02-12T00:00:00
db:	BID	id:	72576	date:	2015-02-11T00:00:00
db:	JVNDB	id:	JVNDB-2015-001485	date:	2015-02-17T00:00:00
db:	CNNVD	id:	CNNVD-201502-265	date:	2015-02-12T00:00:00
db:	NVD	id:	CVE-2015-0580	date:	2015-02-12T01:59:21.593