{"id": "OPENVAS:1361412562310106592", "type": "openvas", "bulletinFamily": "scanner", "title": "Cisco Secure Access Control System Information Disclosure Vulnerability", "description": "A vulnerability in the web interface of the Cisco Secure Access Control\nSystem (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information.", "published": "2017-02-16T00:00:00", "modified": "2018-10-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106592", "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs3"], "cvelist": ["CVE-2017-3841"], "lastseen": "2019-05-29T18:34:12", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-3841"]}, {"type": "cisco", "idList": ["CISCO-SA-20170215-ACS3"]}], "modified": "2019-05-29T18:34:12", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2019-05-29T18:34:12", "rev": 2}, "vulnersScore": 5.1}, "pluginID": "1361412562310106592", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_acs_cisco-sa-20170215-acs3.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Secure Access Control System Information Disclosure Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:secure_access_control_system\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106592\");\n script_cve_id(\"CVE-2017-3841\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Secure Access Control System Information Disclosure Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs3\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"A vulnerability in the web interface of the Cisco Secure Access Control\nSystem (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability is due to the inclusion of sensitive information in a\nserver response when certain pages of the web interface are accessed.\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker with the ability to view configuration parameters\ncould disclose passwords and other sensitive information about the affected system.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-16 11:28:55 +0700 (Thu, 16 Feb 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_acs_version.nasl\");\n script_mandatory_keys(\"cisco_acs/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe:CPE))\n exit(0);\n\nif (version == \"5.8(2.5)\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "naslFamily": "CISCO"}

{"cve": [{"lastseen": "2020-10-03T13:07:43", "description": "A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information. More Information: CSCvc04854. Known Affected Releases: 5.8(2.5).", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-02-22T02:59:00", "title": "CVE-2017-3841", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3841"], "modified": "2017-07-25T01:29:00", "cpe": ["cpe:/a:cisco:secure_access_control_system:5.8\\(2.5\\)"], "id": "CVE-2017-3841", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3841", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:cisco:secure_access_control_system:5.8\\(2.5\\):*:*:*:*:*:*:*"]}], "cisco": [{"lastseen": "2020-12-24T11:41:14", "bulletinFamily": "software", "cvelist": ["CVE-2017-3841"], "description": "A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information.\n\nThe vulnerability is due to the inclusion of sensitive information in a server response when certain pages of the web interface are accessed. An unauthenticated attacker with the ability to view configuration parameters could disclose passwords and other sensitive information about the affected system.\n\nThere are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs3 [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs3\"]", "modified": "2017-03-03T00:03:58", "published": "2017-02-15T16:00:00", "id": "CISCO-SA-20170215-ACS3", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs3", "type": "cisco", "title": "Cisco Secure Access Control System Information Disclosure Vulnerability", "cvss": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}]}