CiscoCISCO-SA-20140115-CVE-2014-0665Cisco ISE Unprivileged Support Bundle Download Vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
EPSS
Percentile
65.0%
A vulnerability in the role-based access control code of the Cisco Identity Services Engine (ISE) could allow an authenticated, but unprivileged, remote attacker to access support bundle information.
The vulnerability is due to a failure to check the user privileges correctly when downloading the support bundle. An attacker could exploit this vulnerability by downloading the support bundle without the appropriate privileges. An exploit could allow the unprivileged attacker to download the support bundle and access sensitive information such as the user database.
Cisco has confirmed the vulnerability in a security notice and released software updates.
To exploit this vulnerability, an attacker must authenticate to a targeted device. This access requirement decreases the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cisco | identity_services_engine_software | any | cpe:2.3:a:cisco:identity_services_engine_software:any:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
EPSS
Percentile
65.0%