Lucene search

CiscoCVE-2016-1297

HistoryFeb 26, 2016 - 5:59 a.m.

CVE-2016-1297

2016-02-2605:59:00

CWE-78

cisco

web.nvd.nist.gov

cisco

ace

cve-2016-1297

device manager

gui

rbac

bug id

cscul84801

security issue

remote execution

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.004

Percentile

72.8%

JSON

The Device Manager GUI in Cisco Application Control Engine (ACE) 4710 A5 before A5(3.1) allows remote authenticated users to bypass intended RBAC restrictions and execute arbitrary CLI commands with admin privileges via an unspecified parameter in a POST request, aka Bug ID CSCul84801.

Affected configurations

Nvd

Node

ciscoapplication_control_engine_softwareMatcha5\(1.0\)

ciscoapplication_control_engine_softwareMatcha5\(1.1\)

ciscoapplication_control_engine_softwareMatcha5\(1.2\)

ciscoapplication_control_engine_softwareMatcha5\(2.0\)

ciscoapplication_control_engine_softwareMatcha5\(2.1\)

ciscoapplication_control_engine_softwareMatcha5\(2.1e\)

ciscoapplication_control_engine_softwareMatcha5\(3.0\)

VendorProductVersionCPE
ciscoapplication_control_engine_softwarea5(1.0)cpe:2.3:a:cisco:application_control_engine_software:a5\(1.0\):*:*:*:*:*:*:*
ciscoapplication_control_engine_softwarea5(1.1)cpe:2.3:a:cisco:application_control_engine_software:a5\(1.1\):*:*:*:*:*:*:*
ciscoapplication_control_engine_softwarea5(1.2)cpe:2.3:a:cisco:application_control_engine_software:a5\(1.2\):*:*:*:*:*:*:*
ciscoapplication_control_engine_softwarea5(2.0)cpe:2.3:a:cisco:application_control_engine_software:a5\(2.0\):*:*:*:*:*:*:*
ciscoapplication_control_engine_softwarea5(2.1)cpe:2.3:a:cisco:application_control_engine_software:a5\(2.1\):*:*:*:*:*:*:*
ciscoapplication_control_engine_softwarea5(2.1e)cpe:2.3:a:cisco:application_control_engine_software:a5\(2.1e\):*:*:*:*:*:*:*
ciscoapplication_control_engine_softwarea5(3.0)cpe:2.3:a:cisco:application_control_engine_software:a5\(3.0\):*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	application_control_engine_software	a5(1.0)	cpe:2.3:a:cisco:application_control_engine_software:a5\(1.0\):::::::*
cisco	application_control_engine_software	a5(1.1)	cpe:2.3:a:cisco:application_control_engine_software:a5\(1.1\):::::::*
cisco	application_control_engine_software	a5(1.2)	cpe:2.3:a:cisco:application_control_engine_software:a5\(1.2\):::::::*
cisco	application_control_engine_software	a5(2.0)	cpe:2.3:a:cisco:application_control_engine_software:a5\(2.0\):::::::*
cisco	application_control_engine_software	a5(2.1)	cpe:2.3:a:cisco:application_control_engine_software:a5\(2.1\):::::::*
cisco	application_control_engine_software	a5(2.1e)	cpe:2.3:a:cisco:application_control_engine_software:a5\(2.1e\):::::::*
cisco	application_control_engine_software	a5(3.0)	cpe:2.3:a:cisco:application_control_engine_software:a5\(3.0\):::::::*

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160224-ace

www.securitytracker.com/id/1035104

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.004

Percentile

72.8%

JSON

Related for CVE-2016-1297