Sign-up

ID

VAR-201510-0024


CVE

CVE-2015-6347


TITLE

Cisco Secure Access Control Server of Solution Engine Vulnerabilities in which role-based access control is bypassed

Trust: 0.8

sources: JVNDB: JVNDB-2015-005684

DESCRIPTION

The Solution Engine in Cisco Secure Access Control Server (ACS) 5.7(0.15) allows remote authenticated users to bypass intended RBAC restrictions, and create a dashboard or portlet, by visiting an unspecified web page. Attackers can exploit this issue to bypass security restrictions to perform unauthorized actions; this may aid in launching further attacks. This issue is being tracked by Cisco Bug ID CSCuw24655

Trust: 1.98

sources: NVD: CVE-2015-6347 // JVNDB: JVNDB-2015-005684 // BID: 77394 // VULHUB: VHN-84308

AFFECTED PRODUCTS

vendor:ciscomodel:secure access control serverscope:eqversion:5.7.0.15

Trust: 1.6

vendor:ciscomodel:secure access control server solution enginescope:eqversion:5.7(0.15)

Trust: 0.8

sources: JVNDB: JVNDB-2015-005684 // CNNVD: CNNVD-201510-781 // NVD: CVE-2015-6347

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-6347
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-6347
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201510-781
value: MEDIUM

Trust: 0.6

VULHUB: VHN-84308
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-6347
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-84308
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-84308 // JVNDB: JVNDB-2015-005684 // CNNVD: CNNVD-201510-781 // NVD: CVE-2015-6347

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-84308 // JVNDB: JVNDB-2015-005684 // NVD: CVE-2015-6347

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-781

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201510-781

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-005684

PATCH
title:cisco-sa-20151023-acs_rbacurl:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151023-acs_rbac
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-005684

EXTERNAL IDS
db:NVDid:CVE-2015-6347
Trust: 2.8
db:SECTRACKid:1033971
Trust: 1.1
db:JVNDBid:JVNDB-2015-005684
Trust: 0.8
db:CNNVDid:CNNVD-201510-781
Trust: 0.7
db:BIDid:77394
Trust: 0.4
db:VULHUBid:VHN-84308
Trust: 0.1
sources:
            
            
            VULHUB: VHN-84308 // 
            
            
            
            BID: 77394 // 
            
            
            
            JVNDB: JVNDB-2015-005684 // 
            
            
            
            CNNVD: CNNVD-201510-781 // 
            
            
            
            NVD: CVE-2015-6347

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20151023-acs_rbac
Trust: 2.0
url:http://www.securitytracker.com/id/1033971
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6347
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6347
Trust: 0.8
url:http://www.cisco.com/en/us/products/sw/secursw/ps2086/index.html
Trust: 0.3
sources:
            
            
            VULHUB: VHN-84308 // 
            
            
            
            BID: 77394 // 
            
            
            
            JVNDB: JVNDB-2015-005684 // 
            
            
            
            CNNVD: CNNVD-201510-781 // 
            
            
            
            NVD: CVE-2015-6347

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 77394

SOURCES
db:VULHUBid:VHN-84308
db:BIDid:77394
db:JVNDBid:JVNDB-2015-005684
db:CNNVDid:CNNVD-201510-781
db:NVDid:CVE-2015-6347

LAST UPDATE DATE
2024-11-23T22:52:42.684000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-84308date:2016-12-07T00:00:00
db:BIDid:77394date:2016-07-06T14:42:00
db:JVNDBid:JVNDB-2015-005684date:2015-11-02T00:00:00
db:CNNVDid:CNNVD-201510-781date:2015-11-02T00:00:00
db:NVDid:CVE-2015-6347date:2024-11-21T02:34:49.727

SOURCES RELEASE DATE
db:VULHUBid:VHN-84308date:2015-10-30T00:00:00
db:BIDid:77394date:2015-10-26T00:00:00
db:JVNDBid:JVNDB-2015-005684date:2015-11-02T00:00:00
db:CNNVDid:CNNVD-201510-781date:2015-10-30T00:00:00
db:NVDid:CVE-2015-6347date:2015-10-30T10:59:04.683