Details of VAR-201605-0412

ID

VAR-201605-0412

CVE

CVE-2016-1406

TITLE

Cisco Prime Infrastructure and Evolved Programmable Network Manager of API Web In the interface RBAC Vulnerabilities that can be bypassed

Trust: 0.8

sources: JVNDB: JVNDB-2016-002928

DESCRIPTION

The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2.4 allows remote authenticated users to bypass intended RBAC restrictions and obtain sensitive information, and consequently gain privileges, via crafted JSON data, aka Bug ID CSCuy12409. Vendors have confirmed this vulnerability Bug ID CSCuy12409 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCrafted by remotely authenticated users JSON Through the data, RBAC Limitations can be circumvented, important information can be obtained, and as a result, privileges can be obtained. An attacker can exploit this issue to gain elevated privileges on an affected device. This issue is being tracked by Cisco Bug ID's CSCuy12409 and CSCuy12511. PI is a set of wireless management solutions through Cisco Prime LAN Management Solution (LMS) and Cisco Prime Network Control System (NCS) technologies; EPNM is a set of network management solutions

Trust: 1.98

sources: NVD: CVE-2016-1406 // JVNDB: JVNDB-2016-002928 // BID: 90823 // VULHUB: VHN-90225

AFFECTED PRODUCTS

vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.200	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.0.103	Trust: 1.6
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.1.3	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.2\(2\)	Trust: 1.6
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.0	Trust: 1.6
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.300	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.0.45	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.1	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.1.0	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.0	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.2	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.3	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.1	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.3.0.20	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.2	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	3.0	Trust: 1.0
vendor:	cisco	model:	evolved programmable network manager	scope:	lt	version:	1.2.4	Trust: 0.8
vendor:	cisco	model:	prime infrastructure	scope:	lt	version:	3.1	Trust: 0.8
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.2.0	Trust: 0.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	3.0.0	Trust: 0.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	3.0_base	Trust: 0.6

sources: JVNDB: JVNDB-2016-002928 // CNNVD: CNNVD-201605-586 // NVD: CVE-2016-1406

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1406
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-1406
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201605-586
value:	HIGH
Trust: 0.6
VULHUB:	VHN-90225
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-1406
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-90225
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1406
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-90225 // JVNDB: JVNDB-2016-002928 // CNNVD: CNNVD-201605-586 // NVD: CVE-2016-1406

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-90225 // JVNDB: JVNDB-2016-002928 // NVD: CVE-2016-1406

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201605-586

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201605-586

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-002928

PATCH

title:	cisco-sa-20160523-pi-epnm	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160523-pi-epnm	Trust: 0.8
title:	Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61899	Trust: 0.6

sources: JVNDB: JVNDB-2016-002928 // CNNVD: CNNVD-201605-586

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1406	Trust: 2.8
db:	SECTRACK	id:	1035948	Trust: 1.7
db:	JVNDB	id:	JVNDB-2016-002928	Trust: 0.8
db:	CNNVD	id:	CNNVD-201605-586	Trust: 0.7
db:	BID	id:	90823	Trust: 0.4
db:	VULHUB	id:	VHN-90225	Trust: 0.1

sources: VULHUB: VHN-90225 // BID: 90823 // JVNDB: JVNDB-2016-002928 // CNNVD: CNNVD-201605-586 // NVD: CVE-2016-1406

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160523-pi-epnm	Trust: 1.7
url:	http://www.securitytracker.com/id/1035948	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1406	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1406	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-90225 // BID: 90823 // JVNDB: JVNDB-2016-002928 // CNNVD: CNNVD-201605-586 // NVD: CVE-2016-1406

CREDITS

Cisco

Trust: 0.3

sources: BID: 90823

SOURCES

db:	VULHUB	id:	VHN-90225
db:	BID	id:	90823
db:	JVNDB	id:	JVNDB-2016-002928
db:	CNNVD	id:	CNNVD-201605-586
db:	NVD	id:	CVE-2016-1406

LAST UPDATE DATE

2024-11-23T23:12:36.154000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-90225	date:	2019-07-29T00:00:00
db:	BID	id:	90823	date:	2016-05-23T00:00:00
db:	JVNDB	id:	JVNDB-2016-002928	date:	2016-05-27T00:00:00
db:	CNNVD	id:	CNNVD-201605-586	date:	2019-07-30T00:00:00
db:	NVD	id:	CVE-2016-1406	date:	2024-11-21T02:46:22.967

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-90225	date:	2016-05-25T00:00:00
db:	BID	id:	90823	date:	2016-05-23T00:00:00
db:	JVNDB	id:	JVNDB-2016-002928	date:	2016-05-27T00:00:00
db:	CNNVD	id:	CNNVD-201605-586	date:	2016-05-24T00:00:00
db:	NVD	id:	CVE-2016-1406	date:	2016-05-25T01:59:09.757