Sign-up

ID

VAR-201801-1051


CVE

CVE-2018-0100


TITLE

Cisco AnyConnect Secure Mobility Client In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2018-001701

DESCRIPTION

A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by injecting a crafted XML file with malicious entries, which could allow the attacker to read and write files. Cisco Bug IDs: CSCvg19341. Vendors have confirmed this vulnerability Bug ID CSCvg19341 It is released as.Information may be obtained and information may be altered. ProfileEditor is one of the Profile document editors. Attackers can exploit this issue to obtain potentially sensitive information or perform unauthorized actions. This may lead to further attacks

Trust: 2.52

sources: NVD: CVE-2018-0100 // JVNDB: JVNDB-2018-001701 // CNVD: CNVD-2018-02365 // BID: 102738 // VULHUB: VHN-118302

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-02365

AFFECTED PRODUCTS

vendor:ciscomodel:anyconnect secure mobility clientscope: - version: -

Trust: 1.4

vendor:ciscomodel:anyconnect secure mobility clientscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:anyconnect vpn clientscope: - version: -

Trust: 0.6

vendor:ciscomodel:anyconnect vpn client softwarescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:anyconnect secure mobility clientscope:eqversion:4.4(4030)

Trust: 0.3

sources: CNVD: CNVD-2018-02365 // BID: 102738 // JVNDB: JVNDB-2018-001701 // CNNVD: CNNVD-201801-619 // NVD: CVE-2018-0100

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0100
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-0100
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-02365
value: LOW

Trust: 0.6

CNNVD: CNNVD-201801-619
value: MEDIUM

Trust: 0.6

VULHUB: VHN-118302
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-0100
severity: LOW
baseScore: 3.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-02365
severity: LOW
baseScore: 3.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-118302
severity: LOW
baseScore: 3.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0100
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 2.5
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-02365 // VULHUB: VHN-118302 // JVNDB: JVNDB-2018-001701 // CNNVD: CNNVD-201801-619 // NVD: CVE-2018-0100

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.9

sources: VULHUB: VHN-118302 // JVNDB: JVNDB-2018-001701 // NVD: CVE-2018-0100

THREAT TYPE

local

Trust: 0.9

sources: BID: 102738 // CNNVD: CNNVD-201801-619

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201801-619

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-001701

PATCH
title:cisco-sa-20180117-acpeurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-acpe
Trust: 0.8
title:Patch for CiscoAnyConnectProfileEditorXML External Entity Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/115083
Trust: 0.6
title:Cisco AnyConnect Secure Mobility Client Profile Editor Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77799
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-02365 // 
            
            
            
            JVNDB: JVNDB-2018-001701 // 
            
            
            
            CNNVD: CNNVD-201801-619

EXTERNAL IDS
db:NVDid:CVE-2018-0100
Trust: 3.4
db:BIDid:102738
Trust: 2.0
db:SECTRACKid:1040246
Trust: 1.7
db:JVNDBid:JVNDB-2018-001701
Trust: 0.8
db:CNNVDid:CNNVD-201801-619
Trust: 0.7
db:CNVDid:CNVD-2018-02365
Trust: 0.6
db:VULHUBid:VHN-118302
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-02365 // 
            
            
            
            VULHUB: VHN-118302 // 
            
            
            
            BID: 102738 // 
            
            
            
            JVNDB: JVNDB-2018-001701 // 
            
            
            
            CNNVD: CNNVD-201801-619 // 
            
            
            
            NVD: CVE-2018-0100

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180117-acpe
Trust: 2.6
url:http://www.securityfocus.com/bid/102738
Trust: 1.7
url:http://www.securitytracker.com/id/1040246
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0100
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0100
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-02365 // 
            
            
            
            VULHUB: VHN-118302 // 
            
            
            
            BID: 102738 // 
            
            
            
            JVNDB: JVNDB-2018-001701 // 
            
            
            
            CNNVD: CNNVD-201801-619 // 
            
            
            
            NVD: CVE-2018-0100

CREDITS
Alain Homewood of Insomnia Security
Trust: 0.3
sources:
            
            
            BID: 102738

SOURCES
db:CNVDid:CNVD-2018-02365
db:VULHUBid:VHN-118302
db:BIDid:102738
db:JVNDBid:JVNDB-2018-001701
db:CNNVDid:CNNVD-201801-619
db:NVDid:CVE-2018-0100

LAST UPDATE DATE
2024-11-23T22:45:27.688000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-02365date:2018-01-31T00:00:00
db:VULHUBid:VHN-118302date:2019-10-09T00:00:00
db:BIDid:102738date:2018-01-17T00:00:00
db:JVNDBid:JVNDB-2018-001701date:2018-03-02T00:00:00
db:CNNVDid:CNNVD-201801-619date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0100date:2024-11-21T03:37:31.230

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-02365date:2018-01-31T00:00:00
db:VULHUBid:VHN-118302date:2018-01-18T00:00:00
db:BIDid:102738date:2018-01-17T00:00:00
db:JVNDBid:JVNDB-2018-001701date:2018-03-02T00:00:00
db:CNNVDid:CNNVD-201801-619date:2018-01-22T00:00:00
db:NVDid:CVE-2018-0100date:2018-01-18T06:29:01.050