Sign-up

ID

VAR-201901-0588


CVE

CVE-2018-15456


TITLE

Cisco Identity Services Engine Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2018-013704

DESCRIPTION

A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin Portal. An attacker with read or write access to the Admin Portal could exploit this vulnerability by browsing to a page that contains sensitive data. An exploit could allow the attacker to recover passwords for unauthorized use and expose those accounts to further attack. Cisco Identity Services Engine (ISE) Contains an information disclosure vulnerability.Information may be obtained. This may lead to further attacks. This issue being tracked by Cisco Bug ID CSCvm63427, CSCvm91147, CSCvm91202. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.98

sources: NVD: CVE-2018-15456 // JVNDB: JVNDB-2018-013704 // BID: 106512 // VULHUB: VHN-125717

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:2.3\(0.298\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.4\(100.159\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.2\(0.470\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.4\(0.357\)

Trust: 1.0

vendor:ciscomodel:identity services engine softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:identity services enginescope:eqversion:2.4(100.159

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.4(0.357)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.3(0.298)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.2(0.470)

Trust: 0.3

sources: BID: 106512 // JVNDB: JVNDB-2018-013704 // NVD: CVE-2018-15456

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15456
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2018-15456
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-15456
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201901-298
value: MEDIUM

Trust: 0.6

VULHUB: VHN-125717
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-15456
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125717
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15456
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.0

Trust: 1.8

ykramarz@cisco.com: CVE-2018-15456
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-125717 // JVNDB: JVNDB-2018-013704 // CNNVD: CNNVD-201901-298 // NVD: CVE-2018-15456 // NVD: CVE-2018-15456

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

problemtype:CWE-522

Trust: 1.1

sources: VULHUB: VHN-125717 // JVNDB: JVNDB-2018-013704 // NVD: CVE-2018-15456

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-298

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201901-298

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-013704

PATCH
title:cisco-sa-20190109-ise-passwdurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-passwd
Trust: 0.8
title:Cisco Identity Services Engine Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88488
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-013704 // 
            
            
            
            CNNVD: CNNVD-201901-298

EXTERNAL IDS
db:NVDid:CVE-2018-15456
Trust: 2.8
db:BIDid:106512
Trust: 2.0
db:JVNDBid:JVNDB-2018-013704
Trust: 0.8
db:CNNVDid:CNNVD-201901-298
Trust: 0.7
db:VULHUBid:VHN-125717
Trust: 0.1
sources:
            
            
            VULHUB: VHN-125717 // 
            
            
            
            BID: 106512 // 
            
            
            
            JVNDB: JVNDB-2018-013704 // 
            
            
            
            CNNVD: CNNVD-201901-298 // 
            
            
            
            NVD: CVE-2018-15456

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190109-ise-passwd
Trust: 2.0
url:http://www.securityfocus.com/bid/106512
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15456
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-15456
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:http://www.cisco.com/en/us/products/ps11640/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-125717 // 
            
            
            
            BID: 106512 // 
            
            
            
            JVNDB: JVNDB-2018-013704 // 
            
            
            
            CNNVD: CNNVD-201901-298 // 
            
            
            
            NVD: CVE-2018-15456

CREDITS
This vulnerability was found during the resolution of a Cisco TAC support case.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201901-298

SOURCES
db:VULHUBid:VHN-125717
db:BIDid:106512
db:JVNDBid:JVNDB-2018-013704
db:CNNVDid:CNNVD-201901-298
db:NVDid:CVE-2018-15456

LAST UPDATE DATE
2024-08-14T13:55:38.817000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-125717date:2019-10-09T00:00:00
db:BIDid:106512date:2019-01-09T00:00:00
db:JVNDBid:JVNDB-2018-013704date:2019-02-28T00:00:00
db:CNNVDid:CNNVD-201901-298date:2019-10-17T00:00:00
db:NVDid:CVE-2018-15456date:2019-10-09T23:35:40.487

SOURCES RELEASE DATE
db:VULHUBid:VHN-125717date:2019-01-10T00:00:00
db:BIDid:106512date:2019-01-09T00:00:00
db:JVNDBid:JVNDB-2018-013704date:2019-02-28T00:00:00
db:CNNVDid:CNNVD-201901-298date:2019-01-10T00:00:00
db:NVDid:CVE-2018-15456date:2019-01-10T18:29:00.577