Details of VAR-202003-1182

ID

VAR-202003-1182

CVE

CVE-2020-3148

TITLE

Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-15700 // CNNVD: CNNVD-202003-182

DESCRIPTION

A vulnerability in the web-based interface of Cisco Prime Network Registrar (CPNR) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections in the web-based interface. An attacker could exploit this vulnerability by persuading a targeted user, with an active administrative session on the affected device, to click a malicious link. A successful exploit could allow an attacker to change the device's configuration, which could include the ability to edit or create user accounts of any privilege level. Some changes to the device's configuration could negatively impact the availability of networking services for other devices on networks managed by CPNR. Cisco Prime Network Registrar (CPNR) is a network registrar product from Cisco (USA). The product provides services such as Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and IP Address Management (IPAM)

Trust: 2.34

sources: NVD: CVE-2020-3148 // JVNDB: JVNDB-2020-002428 // CNVD: CNVD-2020-15700 // VULHUB: VHN-181273 // VULMON: CVE-2020-3148

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-15700

AFFECTED PRODUCTS

vendor:	cisco	model:	prime network registrar	scope:	lt	version:	10.1	Trust: 1.6
vendor:	cisco	model:	prime network registrar	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.1.2.1	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.1	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.0	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.2.0.1	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.1.3	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.1.1	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.2	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	6.3.3	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.0.1	Trust: 0.6
vendor:	cisco	model:	prime network registrar	scope:	eq	version:	7.2.1	Trust: 0.6

sources: CNVD: CNVD-2020-15700 // JVNDB: JVNDB-2020-002428 // CNNVD: CNNVD-202003-182 // NVD: CVE-2020-3148

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3148
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3148
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-002428
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-15700
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202003-182
value:	HIGH
Trust: 0.6
VULHUB:	VHN-181273
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-3148
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3148
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2020-002428
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-15700
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-181273
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3148
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3148
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.0
Trust: 1.0
NVD:	JVNDB-2020-002428
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-15700 // VULHUB: VHN-181273 // VULMON: CVE-2020-3148 // JVNDB: JVNDB-2020-002428 // CNNVD: CNNVD-202003-182 // NVD: CVE-2020-3148 // NVD: CVE-2020-3148

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-181273 // JVNDB: JVNDB-2020-002428 // NVD: CVE-2020-3148

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-182

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202003-182

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002428

PATCH

title:	cisco-sa-cpnr-csrf-WWTrDkyL	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpnr-csrf-WWTrDkyL	Trust: 0.8
title:	Patch for Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/207425	Trust: 0.6
title:	Cisco Prime Network Registrar Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111116	Trust: 0.6
title:	Cisco: Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-cpnr-csrf-WWTrDkyL	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/high-severity-cisco-webex-flaws-fixed/153462/	Trust: 0.1

sources: CNVD: CNVD-2020-15700 // VULMON: CVE-2020-3148 // JVNDB: JVNDB-2020-002428 // CNNVD: CNNVD-202003-182

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3148	Trust: 3.2
db:	JVNDB	id:	JVNDB-2020-002428	Trust: 0.8
db:	CNNVD	id:	CNNVD-202003-182	Trust: 0.7
db:	CNVD	id:	CNVD-2020-15700	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.0807	Trust: 0.6
db:	VULHUB	id:	VHN-181273	Trust: 0.1
db:	VULMON	id:	CVE-2020-3148	Trust: 0.1

sources: CNVD: CNVD-2020-15700 // VULHUB: VHN-181273 // VULMON: CVE-2020-3148 // JVNDB: JVNDB-2020-002428 // CNNVD: CNNVD-202003-182 // NVD: CVE-2020-3148

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-3148	Trust: 2.0
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cpnr-csrf-wwtrdkyl	Trust: 1.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3148	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.0807/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/high-severity-cisco-webex-flaws-fixed/153462/	Trust: 0.1

sources: CNVD: CNVD-2020-15700 // VULHUB: VHN-181273 // VULMON: CVE-2020-3148 // JVNDB: JVNDB-2020-002428 // CNNVD: CNNVD-202003-182 // NVD: CVE-2020-3148

SOURCES

db:	CNVD	id:	CNVD-2020-15700
db:	VULHUB	id:	VHN-181273
db:	VULMON	id:	CVE-2020-3148
db:	JVNDB	id:	JVNDB-2020-002428
db:	CNNVD	id:	CNNVD-202003-182
db:	NVD	id:	CVE-2020-3148

LAST UPDATE DATE

2024-11-23T22:33:33.661000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-15700	date:	2020-03-06T00:00:00
db:	VULHUB	id:	VHN-181273	date:	2020-03-05T00:00:00
db:	VULMON	id:	CVE-2020-3148	date:	2020-03-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-002428	date:	2020-03-16T00:00:00
db:	CNNVD	id:	CNNVD-202003-182	date:	2020-03-13T00:00:00
db:	NVD	id:	CVE-2020-3148	date:	2024-11-21T05:30:25.577

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-15700	date:	2020-03-06T00:00:00
db:	VULHUB	id:	VHN-181273	date:	2020-03-04T00:00:00
db:	VULMON	id:	CVE-2020-3148	date:	2020-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2020-002428	date:	2020-03-16T00:00:00
db:	CNNVD	id:	CNNVD-202003-182	date:	2020-03-04T00:00:00
db:	NVD	id:	CVE-2020-3148	date:	2020-03-04T19:15:12.587