Details of VAR-201604-0060

ID

VAR-201604-0060

CVE

CVE-2016-1290

TITLE

Cisco Prime Infrastructure and Evolved Programmable Network Manager of Web API In RBAC Vulnerabilities that can be bypassed

Trust: 0.8

sources: JVNDB: JVNDB-2016-001949

DESCRIPTION

The web API in Cisco Prime Infrastructure 1.2.0 through 2.2(2) and Cisco Evolved Programmable Network Manager (EPNM) 1.2 allows remote authenticated users to bypass intended RBAC restrictions and gain privileges via an HTTP request that is inconsistent with a pattern filter, aka Bug ID CSCuy10227. An attacker can exploit this issue to gain elevated privileges on an affected device. This issue is being tracked by Cisco Bug ID's CSCuv61354 and CSCuy10227. PI is a set of wireless management solutions through Cisco Prime LAN Management Solution (LMS) and Cisco Prime Network Control System (NCS) technologies; EPNM is a set of network management solutions. A security vulnerability exists in the Web API of Cisco PI Release 1.2.0 through 2.2(2) and Cisco EPNM Release 1.2

Trust: 1.98

sources: NVD: CVE-2016-1290 // JVNDB: JVNDB-2016-001949 // BID: 85890 // VULHUB: VHN-90109

AFFECTED PRODUCTS

vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.1.0	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.1	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.2	Trust: 1.6
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.0	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.1	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.3.0.20	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.0.103	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.2	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.0	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.3	Trust: 1.0
vendor:	sun	model:	opensolaris	scope:	eq	version:	snv_124	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.0.45	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4	Trust: 1.0
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2	Trust: 0.8
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.0 to 2.2(2)	Trust: 0.8
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.0	Trust: 0.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.3.0	Trust: 0.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.0	Trust: 0.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.0.0	Trust: 0.6

sources: JVNDB: JVNDB-2016-001949 // CNNVD: CNNVD-201604-046 // NVD: CVE-2016-1290

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1290
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-1290
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201604-046
value:	HIGH
Trust: 0.6
VULHUB:	VHN-90109
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-1290
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-90109
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1290
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-90109 // JVNDB: JVNDB-2016-001949 // CNNVD: CNNVD-201604-046 // NVD: CVE-2016-1290

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-90109 // JVNDB: JVNDB-2016-001949 // NVD: CVE-2016-1290

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-046

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201604-046

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001949

PATCH

title:	cisco-sa-20160406-privauth	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160406-privauth	Trust: 0.8
title:	Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Web API Repair measures for security bypass vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60781	Trust: 0.6

sources: JVNDB: JVNDB-2016-001949 // CNNVD: CNNVD-201604-046

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1290	Trust: 2.8
db:	SECTRACK	id:	1035498	Trust: 1.7
db:	JVNDB	id:	JVNDB-2016-001949	Trust: 0.8
db:	CNNVD	id:	CNNVD-201604-046	Trust: 0.7
db:	BID	id:	85890	Trust: 0.4
db:	VULHUB	id:	VHN-90109	Trust: 0.1

sources: VULHUB: VHN-90109 // BID: 85890 // JVNDB: JVNDB-2016-001949 // CNNVD: CNNVD-201604-046 // NVD: CVE-2016-1290

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160406-privauth	Trust: 2.0
url:	http://www.securitytracker.com/id/1035498	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1290	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1290	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	http://www.cisco.com/c/en/us/products/cloud-systems-management/evolved-programmable-network-epn-manager/index.html	Trust: 0.3

sources: VULHUB: VHN-90109 // BID: 85890 // JVNDB: JVNDB-2016-001949 // CNNVD: CNNVD-201604-046 // NVD: CVE-2016-1290

CREDITS

Cisco

Trust: 0.3

sources: BID: 85890

SOURCES

db:	VULHUB	id:	VHN-90109
db:	BID	id:	85890
db:	JVNDB	id:	JVNDB-2016-001949
db:	CNNVD	id:	CNNVD-201604-046
db:	NVD	id:	CVE-2016-1290

LAST UPDATE DATE

2024-11-23T22:01:33.666000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-90109	date:	2019-07-29T00:00:00
db:	BID	id:	85890	date:	2016-07-06T14:29:00
db:	JVNDB	id:	JVNDB-2016-001949	date:	2016-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201604-046	date:	2019-07-30T00:00:00
db:	NVD	id:	CVE-2016-1290	date:	2024-11-21T02:46:07.610

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-90109	date:	2016-04-06T00:00:00
db:	BID	id:	85890	date:	2016-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2016-001949	date:	2016-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201604-046	date:	2016-04-07T00:00:00
db:	NVD	id:	CVE-2016-1290	date:	2016-04-06T23:59:10.910