Details of VAR-201704-0956

ID

VAR-201704-0956

CVE

CVE-2017-3886

TITLE

Cisco Unified Communications Manager of Web In the interface SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003073

DESCRIPTION

A vulnerability in the Cisco Unified Communications Manager web interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. The attacker must be authenticated as an administrative user to execute SQL database queries. More Information: CSCvc74291. Known Affected Releases: 1.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 12.0(0.98000.619) 12.0(0.98000.485) 12.0(0.98000.212) 11.5(1.13035.1) 11.0(1.23900.5) 11.0(1.23900.2) 11.0(1.23067.1) 10.5(2.15900.2). Vendors have confirmed this vulnerability Bug ID CSCvc74291 It is released as.Information may be obtained. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue being tracked by Cisco Bug ID CSCvc74291. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. A remote attacker could exploit this vulnerability to execute arbitrary SQL commands by sending HTTP requests with user-submitted data

Trust: 1.98

sources: NVD: CVE-2017-3886 // JVNDB: JVNDB-2017-003073 // BID: 97432 // VULHUB: VHN-112089

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.0\(1.10000.10\)	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.5\(1.10000.6\)	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.5(1.10000.6)	Trust: 1.1
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	1.0(1.10000.10)	Trust: 0.8
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.0(1.10000.10)	Trust: 0.3

sources: BID: 97432 // JVNDB: JVNDB-2017-003073 // CNNVD: CNNVD-201704-437 // NVD: CVE-2017-3886

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3886
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-3886
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201704-437
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-112089
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-3886
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-112089
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3886
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-112089 // JVNDB: JVNDB-2017-003073 // CNNVD: CNNVD-201704-437 // NVD: CVE-2017-3886

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-112089 // JVNDB: JVNDB-2017-003073 // NVD: CVE-2017-3886

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-437

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201704-437

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003073

PATCH

title:	cisco-sa-20170405-ucm	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-ucm	Trust: 0.8
title:	Cisco Unified Communications Manager SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70140	Trust: 0.6

sources: JVNDB: JVNDB-2017-003073 // CNNVD: CNNVD-201704-437

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3886	Trust: 2.8
db:	BID	id:	97432	Trust: 1.4
db:	SECTRACK	id:	1038192	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-003073	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-437	Trust: 0.7
db:	NSFOCUS	id:	36309	Trust: 0.6
db:	VULHUB	id:	VHN-112089	Trust: 0.1

sources: VULHUB: VHN-112089 // BID: 97432 // JVNDB: JVNDB-2017-003073 // CNNVD: CNNVD-201704-437 // NVD: CVE-2017-3886

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170405-ucm	Trust: 2.0
url:	http://www.securityfocus.com/bid/97432	Trust: 1.1
url:	http://www.securitytracker.com/id/1038192	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3886	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3886	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/36309	Trust: 0.6
url:	http://www.cisco.com/en/us/products/sw/voicesw/ps556/index.html	Trust: 0.3

sources: VULHUB: VHN-112089 // BID: 97432 // JVNDB: JVNDB-2017-003073 // CNNVD: CNNVD-201704-437 // NVD: CVE-2017-3886

CREDITS

Cisco

Trust: 0.3

sources: BID: 97432

SOURCES

db:	VULHUB	id:	VHN-112089
db:	BID	id:	97432
db:	JVNDB	id:	JVNDB-2017-003073
db:	CNNVD	id:	CNNVD-201704-437
db:	NVD	id:	CVE-2017-3886

LAST UPDATE DATE

2024-11-23T21:54:08.642000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112089	date:	2017-07-12T00:00:00
db:	BID	id:	97432	date:	2017-04-11T00:03:00
db:	JVNDB	id:	JVNDB-2017-003073	date:	2017-05-12T00:00:00
db:	CNNVD	id:	CNNVD-201704-437	date:	2017-05-17T00:00:00
db:	NVD	id:	CVE-2017-3886	date:	2024-11-21T03:26:19.030

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112089	date:	2017-04-07T00:00:00
db:	BID	id:	97432	date:	2017-04-05T00:00:00
db:	JVNDB	id:	JVNDB-2017-003073	date:	2017-05-12T00:00:00
db:	CNNVD	id:	CNNVD-201704-437	date:	2017-04-07T00:00:00
db:	NVD	id:	CVE-2017-3886	date:	2017-04-07T17:59:00.420