Details of VAR-201709-0688

ID

VAR-201709-0688

CVE

CVE-2017-12225

TITLE

Cisco Prime LAN Management Solution Session fixation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-007844

DESCRIPTION

A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392. Vendors have confirmed this vulnerability Bug ID CSCvf58392 It is released as.Information may be tampered with. The solution configures, manages, monitors and maintains the network

Trust: 1.98

sources: NVD: CVE-2017-12225 // JVNDB: JVNDB-2017-007844 // BID: 100945 // VULHUB: VHN-102726

AFFECTED PRODUCTS

vendor:	cisco	model:	prime lan management solution	scope:	eq	version:	4.2\(5\)	Trust: 1.6
vendor:	cisco	model:	prime lan management solution	scope:	eq	version:	4.2(5)	Trust: 0.8
vendor:	cisco	model:	prime lan management solution	scope:	eq	version:	0	Trust: 0.3

sources: BID: 100945 // JVNDB: JVNDB-2017-007844 // CNNVD: CNNVD-201709-224 // NVD: CVE-2017-12225

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12225
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12225
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201709-224
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102726
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12225
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-102726
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12225
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102726 // JVNDB: JVNDB-2017-007844 // CNNVD: CNNVD-201709-224 // NVD: CVE-2017-12225

PROBLEMTYPE DATA

problemtype:	CWE-384	Trust: 1.9
problemtype:	CWE-287	Trust: 1.0

sources: VULHUB: VHN-102726 // JVNDB: JVNDB-2017-007844 // NVD: CVE-2017-12225

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-224

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201709-224

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007844

PATCH

title:	CSCvf58392 - LMS 4.2.5 Session Fixation Vulnerability	url:	https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf58392	Trust: 0.8
title:	cisco-sa-20170906-prime-lms	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-prime-lms	Trust: 0.8

sources: JVNDB: JVNDB-2017-007844

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12225	Trust: 2.8
db:	SECTRACK	id:	1039285	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-007844	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-224	Trust: 0.7
db:	BID	id:	100945	Trust: 0.4
db:	VULHUB	id:	VHN-102726	Trust: 0.1

sources: VULHUB: VHN-102726 // BID: 100945 // JVNDB: JVNDB-2017-007844 // CNNVD: CNNVD-201709-224 // NVD: CVE-2017-12225

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170906-prime-lms	Trust: 2.0
url:	https://quickview.cloudapps.cisco.com/quickview/bug/cscvf58392	Trust: 1.7
url:	http://www.securitytracker.com/id/1039285	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12225	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12225	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-102726 // BID: 100945 // JVNDB: JVNDB-2017-007844 // CNNVD: CNNVD-201709-224 // NVD: CVE-2017-12225

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 100945

SOURCES

db:	VULHUB	id:	VHN-102726
db:	BID	id:	100945
db:	JVNDB	id:	JVNDB-2017-007844
db:	CNNVD	id:	CNNVD-201709-224
db:	NVD	id:	CVE-2017-12225

LAST UPDATE DATE

2024-11-23T22:48:55.267000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102726	date:	2019-10-09T00:00:00
db:	BID	id:	100945	date:	2017-09-06T00:00:00
db:	JVNDB	id:	JVNDB-2017-007844	date:	2017-10-03T00:00:00
db:	CNNVD	id:	CNNVD-201709-224	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12225	date:	2024-11-21T03:09:04.397

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102726	date:	2017-09-07T00:00:00
db:	BID	id:	100945	date:	2017-09-06T00:00:00
db:	JVNDB	id:	JVNDB-2017-007844	date:	2017-10-03T00:00:00
db:	CNNVD	id:	CNNVD-201709-224	date:	2017-09-08T00:00:00
db:	NVD	id:	CVE-2017-12225	date:	2017-09-07T21:29:00.597