Sign-up

ID

VAR-201612-0361


CVE

CVE-2016-9199


TITLE

Cisco IOx of Cisco Application-hosting Framework Vulnerable to reading arbitrary files

Trust: 0.8

sources: JVNDB: JVNDB-2016-006281

DESCRIPTION

A vulnerability in the Cisco application-hosting framework (CAF) of Cisco IOx could allow an authenticated, remote attacker to read arbitrary files on a targeted system. Affected Products: This vulnerability affects specific releases of the Cisco IOx subsystem of Cisco IOS and IOS XE Software. More Information: CSCvb23331. Known Affected Releases: 15.2(6.0.57i)E CAF-1.1.0.0. Cisco IOx is a set of applications that provide unified hosting capabilities for the Cisco IoT network infrastructure (Cisco routers, switches, etc.). An attacker can exploit this issue using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and perform other attacks. This issue is being tracked by Cisco Bug ID CSCvb23331

Trust: 3.06

sources: NVD: CVE-2016-9199 // JVNDB: JVNDB-2016-006281 // CNVD: CNVD-2016-12428 // CNNVD: CNNVD-201612-278 // BID: 94788 // VULHUB: VHN-98019

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-12428

AFFECTED PRODUCTS

vendor:ciscomodel:ioxscope:eqversion:1.1.0

Trust: 1.6

vendor:ciscomodel:ioxscope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xescope: - version: -

Trust: 0.6

vendor:ciscomodel:iosscope: - version: -

Trust: 0.6

vendor:ciscomodel:ios xe softwarescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:ios softwarescope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2016-12428 // BID: 94788 // JVNDB: JVNDB-2016-006281 // CNNVD: CNNVD-201612-278 // NVD: CVE-2016-9199

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-9199
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-9199
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-12428
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201612-278
value: MEDIUM

Trust: 0.6

VULHUB: VHN-98019
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-9199
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-12428
severity: MEDIUM
baseScore: 6.3
vectorString: AV:N/AC:M/AU:S/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-98019
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-9199
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-12428 // VULHUB: VHN-98019 // JVNDB: JVNDB-2016-006281 // CNNVD: CNNVD-201612-278 // NVD: CVE-2016-9199

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

sources: VULHUB: VHN-98019 // JVNDB: JVNDB-2016-006281 // NVD: CVE-2016-9199

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201612-278

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201612-278

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-006281

PATCH
title:cisco-sa-20161207-cafurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-caf
Trust: 0.8
title:Patch for CiscoIOS and IOSXESoftware Path Traversal Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/86036
Trust: 0.6
title:Cisco IOx Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66317
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-12428 // 
            
            
            
            JVNDB: JVNDB-2016-006281 // 
            
            
            
            CNNVD: CNNVD-201612-278

EXTERNAL IDS
db:NVDid:CVE-2016-9199
Trust: 3.4
db:BIDid:94788
Trust: 2.6
db:SECTRACKid:1037427
Trust: 1.1
db:JVNDBid:JVNDB-2016-006281
Trust: 0.8
db:CNNVDid:CNNVD-201612-278
Trust: 0.7
db:CNVDid:CNVD-2016-12428
Trust: 0.6
db:VULHUBid:VHN-98019
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-12428 // 
            
            
            
            VULHUB: VHN-98019 // 
            
            
            
            BID: 94788 // 
            
            
            
            JVNDB: JVNDB-2016-006281 // 
            
            
            
            CNNVD: CNNVD-201612-278 // 
            
            
            
            NVD: CVE-2016-9199

REFERENCES
url:http://www.securityfocus.com/bid/94788
Trust: 2.3
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161207-caf
Trust: 2.0
url:http://www.securitytracker.com/id/1037427
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9199
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-9199
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-12428 // 
            
            
            
            VULHUB: VHN-98019 // 
            
            
            
            BID: 94788 // 
            
            
            
            JVNDB: JVNDB-2016-006281 // 
            
            
            
            CNNVD: CNNVD-201612-278 // 
            
            
            
            NVD: CVE-2016-9199

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 94788

SOURCES
db:CNVDid:CNVD-2016-12428
db:VULHUBid:VHN-98019
db:BIDid:94788
db:JVNDBid:JVNDB-2016-006281
db:CNNVDid:CNNVD-201612-278
db:NVDid:CVE-2016-9199

LAST UPDATE DATE
2024-11-23T22:01:20.396000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-12428date:2016-12-16T00:00:00
db:VULHUBid:VHN-98019date:2016-12-22T00:00:00
db:BIDid:94788date:2017-05-02T03:06:00
db:JVNDBid:JVNDB-2016-006281date:2016-12-19T00:00:00
db:CNNVDid:CNNVD-201612-278date:2016-12-13T00:00:00
db:NVDid:CVE-2016-9199date:2024-11-21T03:00:47.217

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-12428date:2016-12-16T00:00:00
db:VULHUBid:VHN-98019date:2016-12-14T00:00:00
db:BIDid:94788date:2016-12-07T00:00:00
db:JVNDBid:JVNDB-2016-006281date:2016-12-19T00:00:00
db:CNNVDid:CNNVD-201612-278date:2016-12-12T00:00:00
db:NVDid:CVE-2016-9199date:2016-12-14T00:59:19.347