Lucene search

CiscoCVE-2017-6617

HistoryApr 20, 2017 - 10:59 p.m.

CVE-2017-6617

2017-04-2022:59:00

CWE-287

cisco

web.nvd.nist.gov

cisco

imc

vulnerability

session management

web gui

remote attacker

hijack

session identifier

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

42.2%

JSON

A vulnerability in the session identification management functionality of the web-based GUI of Cisco Integrated Management Controller (IMC) 3.0(1c) could allow an unauthenticated, remote attacker to hijack a valid user session on an affected system. The vulnerability exists because the affected software does not assign a new session identifier to a user session when a user authenticates to the web-based GUI. An attacker could exploit this vulnerability by using a hijacked session identifier to connect to the software through the web-based GUI. A successful exploit could allow the attacker to hijack an authenticated user’s browser session on the affected system. Cisco Bug IDs: CSCvd14583.

Affected configurations

Nvd

Node

ciscointegrated_management_controller_supervisorMatch3.0\(1c\)

VendorProductVersionCPE
ciscointegrated_management_controller_supervisor3.0(1c)cpe:2.3:a:cisco:integrated_management_controller_supervisor:3.0\(1c\):*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	integrated_management_controller_supervisor	3.0(1c)	cpe:2.3:a:cisco:integrated_management_controller_supervisor:3.0\(1c\):::::::*

CNA Affected

[
  {
    "product": "Cisco Integrated Management Controller",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Cisco Integrated Management Controller"
      }
    ]
  }
]

References

www.securityfocus.com/bid/97929

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-cimc2

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

42.2%

JSON

Related for CVE-2017-6617