Sign-up

ID

VAR-201510-0025


CVE

CVE-2015-6348


TITLE

Cisco Secure Access Control Server of Solution Engine Report output Web Vulnerabilities that bypass role-based access control in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2015-005685

DESCRIPTION

The report-generation web interface in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.7(0.15) allows remote authenticated users to bypass intended RBAC restrictions, and read report or status information, by visiting an unspecified web page. Successfully exploiting this issue may allow an attacker to gain access to sensitive information. This issue is being tracked by Cisco Bug ID CSCuw24661. Solution Engine is one of the server engine solutions. The vulnerability is caused by the program not correctly performing RBAC authentication

Trust: 1.98

sources: NVD: CVE-2015-6348 // JVNDB: JVNDB-2015-005685 // BID: 77310 // VULHUB: VHN-84309

AFFECTED PRODUCTS

vendor:ciscomodel:secure access control serverscope:eqversion:5.7.0.15

Trust: 1.6

vendor:ciscomodel:secure access control server solution enginescope:eqversion:5.7(0.15)

Trust: 0.8

vendor:ciscomodel:secure access control server solution enginescope:eqversion:5.7.0.15

Trust: 0.3

sources: BID: 77310 // JVNDB: JVNDB-2015-005685 // CNNVD: CNNVD-201510-782 // NVD: CVE-2015-6348

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-6348
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-6348
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201510-782
value: MEDIUM

Trust: 0.6

VULHUB: VHN-84309
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-6348
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-84309
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-84309 // JVNDB: JVNDB-2015-005685 // CNNVD: CNNVD-201510-782 // NVD: CVE-2015-6348

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-84309 // JVNDB: JVNDB-2015-005685 // NVD: CVE-2015-6348

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-782

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201510-782

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-005685

PATCH
title:cisco-sa-20151023-acs_rbac1url:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151023-acs_rbac1
Trust: 0.8
title:Cisco Secure Access Control Server Solution Engine Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58513
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-005685 // 
            
            
            
            CNNVD: CNNVD-201510-782

EXTERNAL IDS
db:NVDid:CVE-2015-6348
Trust: 2.8
db:SECTRACKid:1033970
Trust: 1.1
db:JVNDBid:JVNDB-2015-005685
Trust: 0.8
db:CNNVDid:CNNVD-201510-782
Trust: 0.7
db:BIDid:77310
Trust: 0.4
db:VULHUBid:VHN-84309
Trust: 0.1
sources:
            
            
            VULHUB: VHN-84309 // 
            
            
            
            BID: 77310 // 
            
            
            
            JVNDB: JVNDB-2015-005685 // 
            
            
            
            CNNVD: CNNVD-201510-782 // 
            
            
            
            NVD: CVE-2015-6348

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20151023-acs_rbac1
Trust: 2.0
url:http://www.securitytracker.com/id/1033970
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6348
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6348
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-84309 // 
            
            
            
            BID: 77310 // 
            
            
            
            JVNDB: JVNDB-2015-005685 // 
            
            
            
            CNNVD: CNNVD-201510-782 // 
            
            
            
            NVD: CVE-2015-6348

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 77310

SOURCES
db:VULHUBid:VHN-84309
db:BIDid:77310
db:JVNDBid:JVNDB-2015-005685
db:CNNVDid:CNNVD-201510-782
db:NVDid:CVE-2015-6348

LAST UPDATE DATE
2024-11-23T21:43:47.578000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-84309date:2016-12-07T00:00:00
db:BIDid:77310date:2015-10-26T00:00:00
db:JVNDBid:JVNDB-2015-005685date:2015-11-02T00:00:00
db:CNNVDid:CNNVD-201510-782date:2015-11-02T00:00:00
db:NVDid:CVE-2015-6348date:2024-11-21T02:34:49.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-84309date:2015-10-30T00:00:00
db:BIDid:77310date:2015-10-26T00:00:00
db:JVNDBid:JVNDB-2015-005685date:2015-11-02T00:00:00
db:CNNVDid:CNNVD-201510-782date:2015-10-30T00:00:00
db:NVDid:CVE-2015-6348date:2015-10-30T10:59:06.010