Details of VAR-201810-0618

ID

VAR-201810-0618

CVE

CVE-2018-15402

TITLE

Cisco Enterprise NFV Infrastructure Software cross-site request forgery vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2018-013850 // CNNVD: CNNVD-201810-992

DESCRIPTION

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks. The vulnerability is due to improper validation of Origin headers on HTTP requests within the management interface. An attacker could exploit this vulnerability by convincing a targeted user to follow a URL to a malicious website. An exploit could allow the attacker to take actions within the software with the privileges of the targeted user or gain access to sensitive information. This issue is being tracked by Cisco bug ID CSCvj33439. The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller

Trust: 1.98

sources: NVD: CVE-2018-15402 // JVNDB: JVNDB-2018-013850 // BID: 105662 // VULHUB: VHN-125658

AFFECTED PRODUCTS

vendor:	cisco	model:	enterprise network virtualization software	scope:	eq	version:	nfvis-9.0	Trust: 1.0
vendor:	cisco	model:	enterprise network virtualization software	scope:	eq	version:	nfvis-8.0	Trust: 1.0
vendor:	cisco	model:	enterprise nfv infrastructure software	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	enterprise nfv infrastructure software	scope:	eq	version:	0	Trust: 0.3

sources: BID: 105662 // JVNDB: JVNDB-2018-013850 // NVD: CVE-2018-15402

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-15402
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2018-15402
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-15402
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201810-992
value:	HIGH
Trust: 0.6
VULHUB:	VHN-125658
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-15402
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-125658
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-15402
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
ykramarz@cisco.com:	CVE-2018-15402
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-125658 // JVNDB: JVNDB-2018-013850 // CNNVD: CNNVD-201810-992 // NVD: CVE-2018-15402 // NVD: CVE-2018-15402

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-125658 // JVNDB: JVNDB-2018-013850 // NVD: CVE-2018-15402

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-992

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201810-992

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013850

PATCH

title:	cisco-sa-20181017-nfvis-csrf	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nfvis-csrf	Trust: 0.8
title:	Cisco Enterprise NFV Infrastructure Software Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86063	Trust: 0.6

sources: JVNDB: JVNDB-2018-013850 // CNNVD: CNNVD-201810-992

EXTERNAL IDS

db:	NVD	id:	CVE-2018-15402	Trust: 2.8
db:	BID	id:	105662	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-013850	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-992	Trust: 0.7
db:	VULHUB	id:	VHN-125658	Trust: 0.1

sources: VULHUB: VHN-125658 // BID: 105662 // JVNDB: JVNDB-2018-013850 // CNNVD: CNNVD-201810-992 // NVD: CVE-2018-15402

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181017-nfvis-csrf	Trust: 2.0
url:	http://www.securityfocus.com/bid/105662	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15402	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15402	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-125658 // BID: 105662 // JVNDB: JVNDB-2018-013850 // CNNVD: CNNVD-201810-992 // NVD: CVE-2018-15402

CREDITS

Cisco

Trust: 0.3

sources: BID: 105662

SOURCES

db:	VULHUB	id:	VHN-125658
db:	BID	id:	105662
db:	JVNDB	id:	JVNDB-2018-013850
db:	CNNVD	id:	CNNVD-201810-992
db:	NVD	id:	CVE-2018-15402

LAST UPDATE DATE

2024-08-14T14:57:07.492000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-125658	date:	2019-10-09T00:00:00
db:	BID	id:	105662	date:	2018-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-013850	date:	2019-03-04T00:00:00
db:	CNNVD	id:	CNNVD-201810-992	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-15402	date:	2019-10-09T23:35:32.360

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-125658	date:	2018-10-17T00:00:00
db:	BID	id:	105662	date:	2018-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-013850	date:	2019-03-04T00:00:00
db:	CNNVD	id:	CNNVD-201810-992	date:	2018-10-18T00:00:00
db:	NVD	id:	CVE-2018-15402	date:	2018-10-17T20:29:00.457