Details of VAR-201810-0334

ID

VAR-201810-0334

CVE

CVE-2018-0460

TITLE

Cisco Enterprise NFV Infrastructure Software Authorization vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-011266

DESCRIPTION

A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read any file on an affected system. The vulnerability is due to insufficient authorization and parameter validation checks. An attacker could exploit this vulnerability by sending a malicious API request with the authentication credentials of a low-privileged user. A successful exploit could allow the attacker to read any file on the affected system. Cisco Enterprise NFV Infrastructure Software (NFVIS) Contains an authorization vulnerability.Information may be obtained. An attacker can exploit this issue to obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco bug ID CSCvj07787. The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller

Trust: 1.98

sources: NVD: CVE-2018-0460 // JVNDB: JVNDB-2018-011266 // BID: 105299 // VULHUB: VHN-118662

AFFECTED PRODUCTS

vendor:	cisco	model:	network functions virtualization infrastructure	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	enterprise nfv infrastructure software	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	enterprise nfv infrastructure software	scope:	eq	version:	0	Trust: 0.3

sources: BID: 105299 // JVNDB: JVNDB-2018-011266 // CNNVD: CNNVD-201809-276 // NVD: CVE-2018-0460

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0460
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-0460
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201809-276
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-118662
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-0460
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-118662
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0460
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-118662 // JVNDB: JVNDB-2018-011266 // CNNVD: CNNVD-201809-276 // NVD: CVE-2018-0460

PROBLEMTYPE DATA

problemtype:	CWE-285	Trust: 1.9
problemtype:	CWE-863	Trust: 1.1

sources: VULHUB: VHN-118662 // JVNDB: JVNDB-2018-011266 // NVD: CVE-2018-0460

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-276

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201809-276

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011266

PATCH

title:	cisco-sa-20180905-nfvis-infodis	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-infodis	Trust: 0.8
title:	Cisco Enterprise NFV Infrastructure Software Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84607	Trust: 0.6

sources: JVNDB: JVNDB-2018-011266 // CNNVD: CNNVD-201809-276

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0460	Trust: 2.8
db:	BID	id:	105299	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-011266	Trust: 0.8
db:	CNNVD	id:	CNNVD-201809-276	Trust: 0.7
db:	VULHUB	id:	VHN-118662	Trust: 0.1

sources: VULHUB: VHN-118662 // BID: 105299 // JVNDB: JVNDB-2018-011266 // CNNVD: CNNVD-201809-276 // NVD: CVE-2018-0460

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180905-nfvis-infodis	Trust: 2.0
url:	http://www.securityfocus.com/bid/105299	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0460	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0460	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-118662 // BID: 105299 // JVNDB: JVNDB-2018-011266 // CNNVD: CNNVD-201809-276 // NVD: CVE-2018-0460

CREDITS

Security Teams of Orange Group

Trust: 0.3

sources: BID: 105299

SOURCES

db:	VULHUB	id:	VHN-118662
db:	BID	id:	105299
db:	JVNDB	id:	JVNDB-2018-011266
db:	CNNVD	id:	CNNVD-201809-276
db:	NVD	id:	CVE-2018-0460

LAST UPDATE DATE

2024-11-23T22:55:43.497000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118662	date:	2019-10-09T00:00:00
db:	BID	id:	105299	date:	2018-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-011266	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201809-276	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0460	date:	2024-11-21T03:38:16.703

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118662	date:	2018-10-05T00:00:00
db:	BID	id:	105299	date:	2018-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-011266	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201809-276	date:	2018-09-06T00:00:00
db:	NVD	id:	CVE-2018-0460	date:	2018-10-05T14:29:04.043