Lucene search

[email protected]CVE-2016-1297

HistoryFeb 26, 2016 - 5:59 a.m.

CVE-2016-1297

2016-02-2605:59:00

CWE-78

[email protected]

web.nvd.nist.gov

cisco

ace

cve-2016-1297

device manager

gui

rbac

bug id

cscul84801

security issue

remote execution

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

9 High

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.004 Low

EPSS

Percentile

72.8%

JSON

The Device Manager GUI in Cisco Application Control Engine (ACE) 4710 A5 before A5(3.1) allows remote authenticated users to bypass intended RBAC restrictions and execute arbitrary CLI commands with admin privileges via an unspecified parameter in a POST request, aka Bug ID CSCul84801.

Affected configurations

NVD

Node

ciscoapplication_control_engine_softwareMatcha5\(1.0\)

ciscoapplication_control_engine_softwareMatcha5\(1.1\)

ciscoapplication_control_engine_softwareMatcha5\(1.2\)

ciscoapplication_control_engine_softwareMatcha5\(2.0\)

ciscoapplication_control_engine_softwareMatcha5\(2.1\)

ciscoapplication_control_engine_softwareMatcha5\(2.1e\)

ciscoapplication_control_engine_softwareMatcha5\(3.0\)

CPENameOperatorVersion
cisco:application_control_engine_softwarecisco application control engine softwareeqa5\(1.0\)
cisco:application_control_engine_softwarecisco application control engine softwareeqa5\(1.1\)
cisco:application_control_engine_softwarecisco application control engine softwareeqa5\(1.2\)
cisco:application_control_engine_softwarecisco application control engine softwareeqa5\(2.0\)
cisco:application_control_engine_softwarecisco application control engine softwareeqa5\(2.1\)
cisco:application_control_engine_softwarecisco application control engine softwareeqa5\(2.1e\)
cisco:application_control_engine_softwarecisco application control engine softwareeqa5\(3.0\)

CPE	Name	Operator	Version
cisco:application_control_engine_software	cisco application control engine software	eq	a5\(1.0\)
cisco:application_control_engine_software	cisco application control engine software	eq	a5\(1.1\)
cisco:application_control_engine_software	cisco application control engine software	eq	a5\(1.2\)
cisco:application_control_engine_software	cisco application control engine software	eq	a5\(2.0\)
cisco:application_control_engine_software	cisco application control engine software	eq	a5\(2.1\)
cisco:application_control_engine_software	cisco application control engine software	eq	a5\(2.1e\)
cisco:application_control_engine_software	cisco application control engine software	eq	a5\(3.0\)

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160224-ace

www.securitytracker.com/id/1035104

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

9 High

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.004 Low

EPSS

Percentile

72.8%

JSON

Related for CVE-2016-1297

nvd1 cisco1 prion1 nessus1 cvelist1