CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
EPSS
Percentile
74.5%
Cisco Identity Services Engine contains an input validation vulnerability (CWE-20).
CWE-20: Improper Input Validation
Cisco Identity Services Engine (ISE) contains an input validation vulnerability. The ISE device contains a TCP Dump option for analyzing traffic on the device. By using a proxy to modify the HTTP request, a remote authenticated attacker can encode commands into the vulnerable format
parameter which could allow them to run arbitrary code on the affected system with the privilege of the root user.
A remote authenticated attacker may be able to execute arbitrary code as root on the device.
Apply an Update
Users are advised to refer to the “Software Versions and Fixes” section of the Cisco Security Advisory for details on which update is appropriate for their version of the Identity Services Engine.
952422
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 20, 2013 Updated: October 25, 2013
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 9 | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Temporal | 7.4 | E:F/RL:OF/RC:C |
Environmental | 1.9 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Stephen Hosom for reporting this vulnerability. Cisco also credits Jan Kadijk from Warpnet for first directly reporting this vulnerability.
This document was written by Adam Rauf.
CVE IDs: | CVE-2013-5530 |
---|---|
Date Public: | 2013-10-23 Date First Published: |