Sign-up

ID

VAR-202008-0791


CVE

CVE-2020-3152


TITLE

Cisco Connected Mobile Experiences Vulnerability regarding improper default permissions in

Trust: 0.8

sources: JVNDB: JVNDB-2020-010394

DESCRIPTION

A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to execute arbitrary commands with root privileges. The vulnerability is due to improper user permissions that are configured by default on an affected system. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, an attacker would need to have valid administrative credentials. (DoS) It may be put into a state

Trust: 1.71

sources: NVD: CVE-2020-3152 // JVNDB: JVNDB-2020-010394 // VULHUB: VHN-181277

AFFECTED PRODUCTS

vendor:ciscomodel:connected mobile experiencesscope:eqversion:10.6.2

Trust: 1.0

vendor:ciscomodel:connected mobile experiencesscope:eqversion:10.6.0

Trust: 1.0

vendor:ciscomodel:connected mobile experiencesscope:eqversion:10.6.1

Trust: 1.0

vendor:ciscomodel:connected mobile experiencesscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-010394 // NVD: CVE-2020-3152

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3152
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3152
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-010394
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202008-966
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181277
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3152
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-010394
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181277
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3152
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3152
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-010394
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181277 // JVNDB: JVNDB-2020-010394 // CNNVD: CNNVD-202008-966 // NVD: CVE-2020-3152 // NVD: CVE-2020-3152

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.9

problemtype:CWE-275

Trust: 1.0

sources: VULHUB: VHN-181277 // JVNDB: JVNDB-2020-010394 // NVD: CVE-2020-3152

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202008-966

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202008-966

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-010394

PATCH
title:cisco-sa-cmx-prvesc-6g37hjALurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmx-prvesc-6g37hjAL
Trust: 0.8
title:Cisco Connected Mobile Experiences Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=126762
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-010394 // 
            
            
            
            CNNVD: CNNVD-202008-966

EXTERNAL IDS
db:NVDid:CVE-2020-3152
Trust: 2.5
db:JVNDBid:JVNDB-2020-010394
Trust: 0.8
db:CNNVDid:CNNVD-202008-966
Trust: 0.7
db:NSFOCUSid:48425
Trust: 0.6
db:AUSCERTid:ESB-2020.2856
Trust: 0.6
db:CNVDid:CNVD-2020-50153
Trust: 0.1
db:VULHUBid:VHN-181277
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181277 // 
            
            
            
            JVNDB: JVNDB-2020-010394 // 
            
            
            
            CNNVD: CNNVD-202008-966 // 
            
            
            
            NVD: CVE-2020-3152

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cmx-prvesc-6g37hjal
Trust: 2.3
url:https://nvd.nist.gov/vuln/detail/cve-2020-3152
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3152
Trust: 0.8
url:http://www.nsfocus.net/vulndb/48425
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.2856/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-181277 // 
            
            
            
            JVNDB: JVNDB-2020-010394 // 
            
            
            
            CNNVD: CNNVD-202008-966 // 
            
            
            
            NVD: CVE-2020-3152

SOURCES
db:VULHUBid:VHN-181277
db:JVNDBid:JVNDB-2020-010394
db:CNNVDid:CNNVD-202008-966
db:NVDid:CVE-2020-3152

LAST UPDATE DATE
2024-11-23T22:55:05.488000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-181277date:2020-09-01T00:00:00
db:JVNDBid:JVNDB-2020-010394date:2021-01-12T07:18:10
db:CNNVDid:CNNVD-202008-966date:2021-01-05T00:00:00
db:NVDid:CVE-2020-3152date:2024-11-21T05:30:26.070

SOURCES RELEASE DATE
db:VULHUBid:VHN-181277date:2020-08-26T00:00:00
db:JVNDBid:JVNDB-2020-010394date:2021-01-12T07:18:10
db:CNNVDid:CNNVD-202008-966date:2020-08-19T00:00:00
db:NVDid:CVE-2020-3152date:2020-08-26T17:15:13.193