Sign-up

ID

VAR-201711-0339


CVE

CVE-2017-12344


TITLE

Cisco Data Center Network Manager Open redirect vulnerability in software

Trust: 0.8

sources: JVNDB: JVNDB-2017-010416

DESCRIPTION

Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a cross-site scripting (XSS) attack against a user of the affected software. Cisco Bug IDs: CSCvf40477, CSCvf63150, CSCvf68218, CSCvf68235, CSCvf68247. Cisco Data Center Network Manager (DCNM) The software contains an open redirect vulnerability. Vendors report this vulnerability Bug ID CSCvf40477 , CSCvf63150 , CSCvf68218 , CSCvf68235 ,and CSCvf68247 Published as.The information may be obtained and the information may be falsified. Successful exploits will allow attackers to execute arbitrary code within the context of the affected system, manipulate and spoof content, insert a crafted HTTP header into an HTTP response to cause a web page redirection to a possible malicious website, and/or to execute arbitrary HTML or script code in the browser of an unsuspecting user in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; this may aid in launching further attacks. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions. There is an HTTP injection vulnerability in the web interface of Cisco DCNM Software. The vulnerability stems from the fact that the program does not adequately perform input validation on the values ​​in the HTTP header parameters. Remote attackers can exploit this vulnerability to redirect users to malicious websites by enticing users to click malicious links and inject malicious HTTP headers into HTTP messages

Trust: 1.98

sources: NVD: CVE-2017-12344 // JVNDB: JVNDB-2017-010416 // BID: 101996 // VULHUB: VHN-102857

AFFECTED PRODUCTS

vendor:ciscomodel:data center network managerscope:eqversion:10.2\(1\)

Trust: 1.6

vendor:ciscomodel:mds series multilayer directors 10.4 s0scope:neversion:9500

Trust: 1.2

vendor:ciscomodel:data center network managerscope: - version: -

Trust: 0.8

vendor:ciscomodel:mds series multilayer directors 10.3 rscope:neversion:9500

Trust: 0.6

vendor:ciscomodel:mds series multilayer directors 10.3 s3scope:eqversion:9500

Trust: 0.3

vendor:ciscomodel:mds series multilayer directorsscope:eqversion:950010.2(1)

Trust: 0.3

vendor:ciscomodel:data center network managerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:mds series multilayer directors 11.0 s0scope:neversion:9500

Trust: 0.3

vendor:ciscomodel:mds series multilayer directors 10.4 s9scope:neversion:9500

Trust: 0.3

vendor:ciscomodel:mds series multilayer directors 10.4 s19scope:neversion:9500

Trust: 0.3

vendor:ciscomodel:mds series multilayer directors 10.4 s11scope:neversion:9500

Trust: 0.3

sources: BID: 101996 // JVNDB: JVNDB-2017-010416 // CNNVD: CNNVD-201711-1221 // NVD: CVE-2017-12344

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12344
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-12344
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201711-1221
value: MEDIUM

Trust: 0.6

VULHUB: VHN-102857
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-12344
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-102857
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12344
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-102857 // JVNDB: JVNDB-2017-010416 // CNNVD: CNNVD-201711-1221 // NVD: CVE-2017-12344

PROBLEMTYPE DATA

problemtype:CWE-601

Trust: 1.9

problemtype:CWE-79

Trust: 1.0

sources: VULHUB: VHN-102857 // JVNDB: JVNDB-2017-010416 // NVD: CVE-2017-12344

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-1221

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 101996 // CNNVD: CNNVD-201711-1221

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-010416

PATCH
title:cisco-sa-20171129-dcnmurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-dcnm
Trust: 0.8
title:Cisco Data Center Network Manager Software Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76839
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-010416 // 
            
            
            
            CNNVD: CNNVD-201711-1221

EXTERNAL IDS
db:NVDid:CVE-2017-12344
Trust: 2.8
db:BIDid:101996
Trust: 2.0
db:JVNDBid:JVNDB-2017-010416
Trust: 0.8
db:CNNVDid:CNNVD-201711-1221
Trust: 0.7
db:VULHUBid:VHN-102857
Trust: 0.1
sources:
            
            
            VULHUB: VHN-102857 // 
            
            
            
            BID: 101996 // 
            
            
            
            JVNDB: JVNDB-2017-010416 // 
            
            
            
            CNNVD: CNNVD-201711-1221 // 
            
            
            
            NVD: CVE-2017-12344

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171129-dcnm
Trust: 2.0
url:http://www.securityfocus.com/bid/101996
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12344
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12344
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-102857 // 
            
            
            
            BID: 101996 // 
            
            
            
            JVNDB: JVNDB-2017-010416 // 
            
            
            
            CNNVD: CNNVD-201711-1221 // 
            
            
            
            NVD: CVE-2017-12344

CREDITS
Indrajith.A.N
Trust: 0.3
sources:
            
            
            BID: 101996

SOURCES
db:VULHUBid:VHN-102857
db:BIDid:101996
db:JVNDBid:JVNDB-2017-010416
db:CNNVDid:CNNVD-201711-1221
db:NVDid:CVE-2017-12344

LAST UPDATE DATE
2024-11-23T22:22:22.204000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-102857date:2019-10-09T00:00:00
db:BIDid:101996date:2017-12-19T22:37:00
db:JVNDBid:JVNDB-2017-010416date:2017-12-13T00:00:00
db:CNNVDid:CNNVD-201711-1221date:2019-10-17T00:00:00
db:NVDid:CVE-2017-12344date:2024-11-21T03:09:20.870

SOURCES RELEASE DATE
db:VULHUBid:VHN-102857date:2017-11-30T00:00:00
db:BIDid:101996date:2017-11-29T00:00:00
db:JVNDBid:JVNDB-2017-010416date:2017-12-13T00:00:00
db:CNNVDid:CNNVD-201711-1221date:2017-12-01T00:00:00
db:NVDid:CVE-2017-12344date:2017-11-30T09:29:00.790