cnvd - cnvd-2015-07359

CNVD-2015-07359

Vulnerability from cnvd - Published: 2015-11-10

Title

Cisco Secure Access Control Server安全限制绕过漏洞

Description

Cisco Secure Access Control Server即（ACS），是美国思科（Cisco）公司的一款安全访问控制服务器。 Cisco Secure Access Control Server 5.7存在安全限制绕过漏洞。允许已通过身份验证的远程用户，通过访问一个未指定的web页绕过预期的RBAC的限制，读取报告或状态信息，

Severity

中

Patch Name

Cisco Secure Access Control Server安全限制绕过漏洞的补丁

Patch Description

Formal description

目前没有详细解决方案提供： http://www.cisco.com/

Reference

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151023-acs_rbac1

Impacted products

Name
Cisco Secure Access Control Server 5.7

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "77310"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-6348"
    }
  },
  "description": "Cisco Secure Access Control Server\u5373\uff08ACS\uff09\uff0c\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5b89\u5168\u8bbf\u95ee\u63a7\u5236\u670d\u52a1\u5668\u3002\r\n\r\nCisco Secure Access Control Server 5.7\u5b58\u5728\u5b89\u5168\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u5141\u8bb8\u5df2\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u7528\u6237\uff0c\u901a\u8fc7\u8bbf\u95ee\u4e00\u4e2a\u672a\u6307\u5b9a\u7684web\u9875\u7ed5\u8fc7\u9884\u671f\u7684RBAC\u7684\u9650\u5236\uff0c\u8bfb\u53d6\u62a5\u544a\u6216\u72b6\u6001\u4fe1\u606f\uff0c",
  "discovererName": "Cisco",
  "formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttp://www.cisco.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-07359",
  "openTime": "2015-11-10",
  "patchDescription": "Cisco Secure Access Control Server\u5373\uff08ACS\uff09\uff0c\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5b89\u5168\u8bbf\u95ee\u63a7\u5236\u670d\u52a1\u5668\u3002\r\nCisco Secure Access Control Server 5.7\u5b58\u5728\u5b89\u5168\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u5141\u8bb8\u5df2\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u7528\u6237\uff0c\u901a\u8fc7\u8bbf\u95ee\u4e00\u4e2a\u672a\u6307\u5b9a\u7684web\u9875\u7ed5\u8fc7\u9884\u671f\u7684RBAC\u7684\u9650\u5236\uff0c\u8bfb\u53d6\u62a5\u544a\u6216\u72b6\u6001\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Secure Access Control Server\u5b89\u5168\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Secure Access Control Server 5.7"
  },
  "referenceLink": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151023-acs_rbac1",
  "serverity": "\u4e2d",
  "submitTime": "2015-11-05",
  "title": "Cisco Secure Access Control Server\u5b89\u5168\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2015-6348 (GCVE-0-2015-6348)

Vulnerability from cvelistv5 – Published: 2015-10-30 10:00 – Updated: 2024-08-06 07:22

Summary

The report-generation web interface in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.7(0.15) allows remote authenticated users to bypass intended RBAC restrictions, and read report or status information, by visiting an unspecified web page.

Severity ?

No CVSS data available.

CWE

Assigner

cisco

References

URL

Tags

	http://www.securitytracker.com/id/1033970	vdb-entryx_refsource_SECTRACK
	http://tools.cisco.com/security/center/content/Ci…	vendor-advisoryx_refsource_CISCO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:22:21.050Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1033970",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1033970"
          },
          {
            "name": "20151026 Cisco Secure Access Control Server Role-Based Access Control Weak Protection Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151023-acs_rbac1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-10-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The report-generation web interface in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.7(0.15) allows remote authenticated users to bypass intended RBAC restrictions, and read report or status information, by visiting an unspecified web page."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-05T21:57:02",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "1033970",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1033970"
        },
        {
          "name": "20151026 Cisco Secure Access Control Server Role-Based Access Control Weak Protection Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151023-acs_rbac1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2015-6348",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The report-generation web interface in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.7(0.15) allows remote authenticated users to bypass intended RBAC restrictions, and read report or status information, by visiting an unspecified web page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1033970",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1033970"
            },
            {
              "name": "20151026 Cisco Secure Access Control Server Role-Based Access Control Weak Protection Vulnerability",
              "refsource": "CISCO",
              "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151023-acs_rbac1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2015-6348",
    "datePublished": "2015-10-30T10:00:00",
    "dateReserved": "2015-08-17T00:00:00",
    "dateUpdated": "2024-08-06T07:22:21.050Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-07359

CVE-2015-6348 (GCVE-0-2015-6348)

Tags

Sightings

Nomenclature