Sign-up

ID

VAR-201811-0178


CVE

CVE-2018-15441


TITLE

Cisco Prime License Manager In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-011529

DESCRIPTION

A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user. This issue being tracked by Cisco Bug ID CSCvk30822. Cisco Prime License Manager (PLM) is a license manager of Cisco (Cisco)

Trust: 1.98

sources: NVD: CVE-2018-15441 // JVNDB: JVNDB-2018-011529 // BID: 106039 // VULHUB: VHN-125701

AFFECTED PRODUCTS

vendor:ciscomodel:prime license managerscope:eqversion:11.5\(1\)

Trust: 1.6

vendor:ciscomodel:prime license managerscope:gteversion:11.0.1

Trust: 1.0

vendor:ciscomodel:prime license managerscope:lteversion:11.5

Trust: 1.0

vendor:ciscomodel:prime license managerscope: - version: -

Trust: 0.8

vendor:ciscomodel:prime license managerscope:eqversion:11.5.1

Trust: 0.3

vendor:ciscomodel:prime license managerscope:eqversion:11.0.1

Trust: 0.3

vendor:ciscomodel:prime license managerscope:eqversion:11.5

Trust: 0.3

sources: BID: 106039 // JVNDB: JVNDB-2018-011529 // CNNVD: CNNVD-201811-853 // NVD: CVE-2018-15441

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15441
value: CRITICAL

Trust: 1.0

ykramarz@cisco.com: CVE-2018-15441
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-15441
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201811-853
value: CRITICAL

Trust: 0.6

VULHUB: VHN-125701
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-15441
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125701
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15441
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

ykramarz@cisco.com: CVE-2018-15441
baseSeverity: CRITICAL
baseScore: 9.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.5
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-125701 // JVNDB: JVNDB-2018-011529 // CNNVD: CNNVD-201811-853 // NVD: CVE-2018-15441 // NVD: CVE-2018-15441

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-125701 // JVNDB: JVNDB-2018-011529 // NVD: CVE-2018-15441

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-853

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201811-853

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-011529

PATCH
title:cisco-sa-20181128-plm-sql-injecturl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181128-plm-sql-inject
Trust: 0.8
title:Cisco Prime License Manager SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=87077
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-011529 // 
            
            
            
            CNNVD: CNNVD-201811-853

EXTERNAL IDS
db:NVDid:CVE-2018-15441
Trust: 2.8
db:BIDid:106039
Trust: 2.0
db:JVNDBid:JVNDB-2018-011529
Trust: 0.8
db:CNNVDid:CNNVD-201811-853
Trust: 0.7
db:VULHUBid:VHN-125701
Trust: 0.1
sources:
            
            
            VULHUB: VHN-125701 // 
            
            
            
            BID: 106039 // 
            
            
            
            JVNDB: JVNDB-2018-011529 // 
            
            
            
            CNNVD: CNNVD-201811-853 // 
            
            
            
            NVD: CVE-2018-15441

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181128-plm-sql-inject
Trust: 2.6
url:http://www.securityfocus.com/bid/106039
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15441
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-15441
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-125701 // 
            
            
            
            BID: 106039 // 
            
            
            
            JVNDB: JVNDB-2018-011529 // 
            
            
            
            CNNVD: CNNVD-201811-853 // 
            
            
            
            NVD: CVE-2018-15441

CREDITS
Cisco would like to thank security researcher Suhail Alaskar of Saudi Information Technology Company for reporting this vulnerability.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201811-853

SOURCES
db:VULHUBid:VHN-125701
db:BIDid:106039
db:JVNDBid:JVNDB-2018-011529
db:CNNVDid:CNNVD-201811-853
db:NVDid:CVE-2018-15441

LAST UPDATE DATE
2024-11-23T22:55:42.668000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-125701date:2019-10-09T00:00:00
db:BIDid:106039date:2018-11-28T00:00:00
db:JVNDBid:JVNDB-2018-011529date:2019-01-16T00:00:00
db:CNNVDid:CNNVD-201811-853date:2019-10-17T00:00:00
db:NVDid:CVE-2018-15441date:2024-11-21T03:50:48.593

SOURCES RELEASE DATE
db:VULHUBid:VHN-125701date:2018-11-28T00:00:00
db:BIDid:106039date:2018-11-28T00:00:00
db:JVNDBid:JVNDB-2018-011529date:2019-01-16T00:00:00
db:CNNVDid:CNNVD-201811-853date:2018-11-29T00:00:00
db:NVDid:CVE-2018-15441date:2018-11-28T18:29:00.540