VAR-201007-0201
Vulnerability from variot - Updated: 2023-12-18 12:39The Cisco Content Services Switch (CSS) 11500 with software 08.20.1.01 conveys authentication data through ClientCert- headers but does not delete client-supplied ClientCert- headers, which might allow remote attackers to bypass authentication via crafted header data, as demonstrated by a ClientCert-Subject-CN header, aka Bug ID CSCsz04690. When using CSS to terminate SSL communication, you must first authenticate the SSL client certificate. The CSS usually passes the identity of the client to the backend web server in the form of the following HTTP header: ClientCert-Subject: XXXClientCert-Subject-CN: XXXClientCert-Fingerprint: XXXClientCert-Subject-CN: XXXClientCert-Issuer-CN: XXXClientCert-Certificate-Version : XXXClientCert-Serial-Number: XXXClientCert-Data-Signature-Algorithm: XXXClientCert-Subject: XXXClientCert-Issuer: XXXClientCert-Not-Before: XXXClientCert-Not-After: XXXClientCert-Public-Key-Algorithm: XXXClientCert-RSA-Modulus-Size : XXXClientCert-RSA-Modulus: XXXClientCert-RSA-Exponent: XXXClientCert-X509v3-Subject-Key-Identifier: XXXClientCert-X509v3-Authority-Key-Identifier: XXXClientCert-Signature-Algorithm: XXXClientCert-Signature: XXX but CSS does not protect against the client Provides its own ClientCert-* header, so an attacker can act as a fake user for other users, depending on how the application developer handles multiple header copies. An attacker can exploit these issues to impersonate other users when using client certificate-based authentication and to bypass certain security restrictions. Other attacks are also possible. These issues are being tracked by Cisco Bugid CSCSZ04690 and CSCTA04885
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201007-0201",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "content services switch 11500",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "08.20.1.01"
},
{
"model": "css 11500 series",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.6,
"vendor": "no",
"version": null
},
{
"model": "css11500 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ace appliance a3",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4750"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1236"
},
{
"db": "BID",
"id": "41315"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"db": "NVD",
"id": "CVE-2010-1575"
},
{
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:cisco:content_services_switch_11500:08.20.1.01:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-1575"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "George D. Gal\u203b ggal@vsecurity.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
],
"trust": 0.6
},
"cve": "CVE-2010-1575",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2010-1575",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-44180",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2010-1575",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201007-034",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-44180",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-44180"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"db": "NVD",
"id": "CVE-2010-1575"
},
{
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Cisco Content Services Switch (CSS) 11500 with software 08.20.1.01 conveys authentication data through ClientCert-* headers but does not delete client-supplied ClientCert-* headers, which might allow remote attackers to bypass authentication via crafted header data, as demonstrated by a ClientCert-Subject-CN header, aka Bug ID CSCsz04690. When using CSS to terminate SSL communication, you must first authenticate the SSL client certificate. The CSS usually passes the identity of the client to the backend web server in the form of the following HTTP header: ClientCert-Subject: XXXClientCert-Subject-CN: XXXClientCert-Fingerprint: XXXClientCert-Subject-CN: XXXClientCert-Issuer-CN: XXXClientCert-Certificate-Version : XXXClientCert-Serial-Number: XXXClientCert-Data-Signature-Algorithm: XXXClientCert-Subject: XXXClientCert-Issuer: XXXClientCert-Not-Before: XXXClientCert-Not-After: XXXClientCert-Public-Key-Algorithm: XXXClientCert-RSA-Modulus-Size : XXXClientCert-RSA-Modulus: XXXClientCert-RSA-Exponent: XXXClientCert-X509v3-Subject-Key-Identifier: XXXClientCert-X509v3-Authority-Key-Identifier: XXXClientCert-Signature-Algorithm: XXXClientCert-Signature: XXX but CSS does not protect against the client Provides its own ClientCert-* header, so an attacker can act as a fake user for other users, depending on how the application developer handles multiple header copies. \nAn attacker can exploit these issues to impersonate other users when using client certificate-based authentication and to bypass certain security restrictions. Other attacks are also possible. \nThese issues are being tracked by Cisco Bugid CSCSZ04690 and CSCTA04885",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-1575"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"db": "CNVD",
"id": "CNVD-2010-1236"
},
{
"db": "BID",
"id": "41315"
},
{
"db": "VULHUB",
"id": "VHN-44180"
}
],
"trust": 2.52
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-44180",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-44180"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-1575",
"trust": 3.4
},
{
"db": "BID",
"id": "41315",
"trust": 2.8
},
{
"db": "SECTRACK",
"id": "1024167",
"trust": 2.5
},
{
"db": "OSVDB",
"id": "66091",
"trust": 1.9
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001728",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201007-034",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2010-1236",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "15368",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20100702 VSR ADVISORY: MULTIPLE CISCO CSS / ACE CLIENT CERTIFICATE AND HTTP HEADER MANIPULATION VULNERABILITIES",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "91436",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-44180",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1236"
},
{
"db": "VULHUB",
"id": "VHN-44180"
},
{
"db": "BID",
"id": "41315"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"db": "NVD",
"id": "CVE-2010-1575"
},
{
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
]
},
"id": "VAR-201007-0201",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1236"
},
{
"db": "VULHUB",
"id": "VHN-44180"
}
],
"trust": 1.2396825699999998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1236"
}
]
},
"last_update_date": "2023-12-18T12:39:03.381000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "20807",
"trust": 0.8,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=20807"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-44180"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"db": "NVD",
"id": "CVE-2010-1575"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/41315"
},
{
"trust": 2.5,
"url": "http://securitytracker.com/id?1024167"
},
{
"trust": 2.0,
"url": "http://www.vsecurity.com/resources/advisory/20100702-1/"
},
{
"trust": 1.9,
"url": "http://osvdb.org/66091"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/512144/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1575"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1575"
},
{
"trust": 0.6,
"url": "http://marc.info/?l=bugtraq\u0026m=127808444302943\u0026w=2"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/512144/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/15368"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/"
},
{
"trust": 0.3,
"url": "/archive/1/512144"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-1236"
},
{
"db": "VULHUB",
"id": "VHN-44180"
},
{
"db": "BID",
"id": "41315"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"db": "NVD",
"id": "CVE-2010-1575"
},
{
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2010-1236"
},
{
"db": "VULHUB",
"id": "VHN-44180"
},
{
"db": "BID",
"id": "41315"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"db": "NVD",
"id": "CVE-2010-1575"
},
{
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-07-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-1236"
},
{
"date": "2010-07-06T00:00:00",
"db": "VULHUB",
"id": "VHN-44180"
},
{
"date": "2010-07-02T00:00:00",
"db": "BID",
"id": "41315"
},
{
"date": "2010-07-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"date": "2010-07-06T17:17:13.203000",
"db": "NVD",
"id": "CVE-2010-1575"
},
{
"date": "2010-07-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-07-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-1236"
},
{
"date": "2018-10-10T00:00:00",
"db": "VULHUB",
"id": "VHN-44180"
},
{
"date": "2015-04-13T21:05:00",
"db": "BID",
"id": "41315"
},
{
"date": "2010-07-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001728"
},
{
"date": "2018-10-10T19:57:32.013000",
"db": "NVD",
"id": "CVE-2010-1575"
},
{
"date": "2010-07-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco Content Services Switch Vulnerabilities that bypass authentication",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001728"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201007-034"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…