Details of VAR-201610-0284

ID

VAR-201610-0284

CVE

CVE-2016-6435

TITLE

Cisco Firepower Management Center of Web Vulnerability in console to read arbitrary files

Trust: 0.8

sources: JVNDB: JVNDB-2016-005143

DESCRIPTION

The web console in Cisco Firepower Management Center 6.0.1 allows remote authenticated users to read arbitrary files via crafted parameters, aka Bug ID CSCva30376. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible

Trust: 1.98

sources: NVD: CVE-2016-6435 // JVNDB: JVNDB-2016-005143 // BID: 93421 // VULHUB: VHN-95255

AFFECTED PRODUCTS

vendor:	cisco	model:	firepower management center	scope:	eq	version:	6.0.1	Trust: 1.4
vendor:	cisco	model:	secure firewall management center	scope:	eq	version:	6.0.1	Trust: 1.0
vendor:	cisco	model:	firepower management center	scope:	eq	version:	0	Trust: 0.3

sources: BID: 93421 // JVNDB: JVNDB-2016-005143 // CNNVD: CNNVD-201610-105 // NVD: CVE-2016-6435

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-6435
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-6435
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201610-105
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-95255
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-6435
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-95255
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-6435
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-95255 // JVNDB: JVNDB-2016-005143 // CNNVD: CNNVD-201610-105 // NVD: CVE-2016-6435

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-95255 // JVNDB: JVNDB-2016-005143 // NVD: CVE-2016-6435

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-105

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201610-105

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-005143

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-95255

PATCH

title:	cisco-sa-20161005-ftmc2	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc2	Trust: 0.8
title:	Cisco Firepower Management Center File contains fixes for vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64532	Trust: 0.6

sources: JVNDB: JVNDB-2016-005143 // CNNVD: CNNVD-201610-105

EXTERNAL IDS

db:	NVD	id:	CVE-2016-6435	Trust: 2.8
db:	BID	id:	93421	Trust: 1.4
db:	EXPLOIT-DB	id:	40464	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-005143	Trust: 0.8
db:	PACKETSTORM	id:	138987	Trust: 0.7
db:	CNNVD	id:	CNNVD-201610-105	Trust: 0.7
db:	VULHUB	id:	VHN-95255	Trust: 0.1

sources: VULHUB: VHN-95255 // BID: 93421 // JVNDB: JVNDB-2016-005143 // CNNVD: CNNVD-201610-105 // NVD: CVE-2016-6435

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161005-ftmc2	Trust: 2.0
url:	http://www.securityfocus.com/bid/93421	Trust: 1.1
url:	https://www.exploit-db.com/exploits/40464/	Trust: 1.1
url:	https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking	Trust: 1.1
url:	https://www.korelogic.com/resources/advisories/kl-001-2016-006.txt	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6435	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6435	Trust: 0.8
url:	http://packetstormsecurity.com/files/138987/cisco-firepower-threat-management-console-local-file-inclusion.html	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-95255 // BID: 93421 // JVNDB: JVNDB-2016-005143 // CNNVD: CNNVD-201610-105 // NVD: CVE-2016-6435

CREDITS

Cisco.

Trust: 0.3

sources: BID: 93421

SOURCES

db:	VULHUB	id:	VHN-95255
db:	BID	id:	93421
db:	JVNDB	id:	JVNDB-2016-005143
db:	CNNVD	id:	CNNVD-201610-105
db:	NVD	id:	CVE-2016-6435

LAST UPDATE DATE

2024-11-27T22:53:47.077000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-95255	date:	2017-09-03T00:00:00
db:	BID	id:	93421	date:	2016-10-10T00:05:00
db:	JVNDB	id:	JVNDB-2016-005143	date:	2016-10-12T00:00:00
db:	CNNVD	id:	CNNVD-201610-105	date:	2016-10-11T00:00:00
db:	NVD	id:	CVE-2016-6435	date:	2024-11-26T16:09:02.407

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-95255	date:	2016-10-06T00:00:00
db:	BID	id:	93421	date:	2016-10-05T00:00:00
db:	JVNDB	id:	JVNDB-2016-005143	date:	2016-10-12T00:00:00
db:	CNNVD	id:	CNNVD-201610-105	date:	2016-10-10T00:00:00
db:	NVD	id:	CVE-2016-6435	date:	2016-10-06T10:59:16.460