CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
EPSS
Percentile
38.8%
A vulnerability in the Cisco Prime Infrastructure (PI) username storage and authentication process could allow an authenticated, remote attacker to gain elevated privileges on a targeted system.
The vulnerability occurs because the affected software saves case-sensitive usernames and performs case-sensitive string comparisons. An attacker could exploit this vulnerability during authentication by entering a username that contains characters in cases different from the combination registered on the affected software. If the Cisco PI is configured for external authentication using a AAA server, the login will succeed but the affected software will assign default authorizations to the user who is logged in. A successful exploit could allow the attacker to access the targeted system and elevate privileges in the application.
Cisco has confirmed the vulnerability; however, software updates are not available.
To exploit this vulnerability, an attacker must authenticate to the targeted device. A successful exploit could be accomplished if the affected software is configured for external authentication. These access requirements reduce the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | prime_infrastructure | any | cpe:2.3:a:cisco:prime_infrastructure:any:*:*:*:*:*:*:* |