Cisco Finesse Appliance User Data Information Disclosure Vulnerability (Cisco-SA-20130812-CVE-2013-3455)

2019-10-2100:00:00

www.tenable.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.003

Percentile

68.4%

JSON

According to its self-reported version, the Cisco Finesse appliance is affected by an information disclosure vulnerability in HTTP queries due to insufficient encryption. An unauthenticated, remote attacker can exploit this, via capturing the HTTP query, to disclose potentially sensitive information.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(130060);
  script_version("1.3");
  script_cvs_date("Date: 2019/10/31 15:18:51");

  script_cve_id("CVE-2013-3455");
  script_xref(name:"CISCO-BUG-ID", value:"CSCug16732");
  script_xref(name:"CISCO-SA", value:"Cisco-SA-20130812-CVE-2013-3455");

  script_name(english:"Cisco Finesse Appliance User Data Information Disclosure Vulnerability (Cisco-SA-20130812-CVE-2013-3455)");
  script_summary(english:"Checks the Cisco Finesse appliance version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Finesse appliance is affected by an information disclosure
vulnerability in HTTP queries due to insufficient encryption. An unauthenticated, remote attacker can exploit this, via
capturing the HTTP query, to disclose potentially sensitive information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20130812-CVE-2013-3455
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?73d2a99d");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCug16732");
  script_set_attribute(attribute:"solution", value:
"Apply the patch or upgrade to the version recommended in Cisco bug ID CSCug16732");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-3455");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(200);

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/08/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/08/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/21");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:finesse");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_voss_finesse_installed.nbin");
  script_require_keys("installed_sw/Cisco VOSS Finesse", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

app_info = vcf::cisco_finesse::get_app_info(app:'Cisco VOSS Finesse');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

constraints = [
  { 'min_version':'0', 'fixed_version':'10.0.1', 'fixed_display' : 'Refer to Cisco Bug ID: CSCug16732' }
];

vcf::cisco_finesse::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);