Details of VAR-201403-0279

ID

VAR-201403-0279

CVE

CVE-2014-2536

TITLE

plural McAfee Products and Intel Expressway Cloud Access 360-SSO Vulnerable to directory traversal

Trust: 0.8

sources: JVNDB: JVNDB-2014-001746

DESCRIPTION

Directory traversal vulnerability in McAfee Cloud Identity Manager 3.0, 3.1, and 3.5.1, McAfee Cloud Single Sign On (MCSSO) before 4.0.1, and Intel Expressway Cloud Access 360-SSO 2.1 and 2.5 allows remote authenticated users to read an unspecified file containing a hash of the administrator password via unknown vectors. Multiple McAfee products are prone to an unspecified directory-traversal vulnerability. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. A remote attacker could exploit this vulnerability to read a file containing administrator password hashes

Trust: 1.98

sources: NVD: CVE-2014-2536 // JVNDB: JVNDB-2014-001746 // BID: 66181 // VULHUB: VHN-70475

AFFECTED PRODUCTS

vendor:	mcafee	model:	cloud identity manager	scope:	eq	version:	3.0	Trust: 1.8
vendor:	mcafee	model:	cloud identity manager	scope:	eq	version:	3.1	Trust: 1.8
vendor:	mcafee	model:	cloud identity manager	scope:	eq	version:	3.5.1	Trust: 1.8
vendor:	intel	model:	expressway cloud access 360	scope:	eq	version:	2.5	Trust: 1.6
vendor:	intel	model:	expressway cloud access 360	scope:	eq	version:	2.1	Trust: 1.6
vendor:	mcafee	model:	cloud single sign on	scope:	eq	version:	4.0.0	Trust: 1.0
vendor:	intel	model:	expressway cloud access 360	scope:	eq	version:	sso 2.1	Trust: 0.8
vendor:	intel	model:	expressway cloud access 360	scope:	eq	version:	sso 2.5	Trust: 0.8
vendor:	mcafee	model:	cloud single sign on	scope:	lt	version:	4.0.1	Trust: 0.8

sources: JVNDB: JVNDB-2014-001746 // CNNVD: CNNVD-201403-346 // NVD: CVE-2014-2536

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2536
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2536
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201403-346
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-70475
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-2536
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-70475
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70475 // JVNDB: JVNDB-2014-001746 // CNNVD: CNNVD-201403-346 // NVD: CVE-2014-2536

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-70475 // JVNDB: JVNDB-2014-001746 // NVD: CVE-2014-2536

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-346

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201403-346

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001746

PATCH

title:	Intel Expressway Cloud Access 360	url:	http://intelasip.nebrina.com/redfort/Expressway-Cloud-Access-360-Identity-Federation/	Trust: 0.8
title:	SB10066	url:	https://kc.mcafee.com/corporate/index?page=content&id=SB10066	Trust: 0.8

sources: JVNDB: JVNDB-2014-001746

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2536	Trust: 2.8
db:	SECUNIA	id:	57368	Trust: 1.7
db:	SECUNIA	id:	57381	Trust: 1.7
db:	MCAFEE	id:	SB10066	Trust: 1.7
db:	BID	id:	66181	Trust: 1.4
db:	JVNDB	id:	JVNDB-2014-001746	Trust: 0.8
db:	CNNVD	id:	CNNVD-201403-346	Trust: 0.7
db:	VULHUB	id:	VHN-70475	Trust: 0.1

sources: VULHUB: VHN-70475 // BID: 66181 // JVNDB: JVNDB-2014-001746 // CNNVD: CNNVD-201403-346 // NVD: CVE-2014-2536

REFERENCES

url:	http://secunia.com/advisories/57368	Trust: 1.7
url:	http://secunia.com/advisories/57381	Trust: 1.7
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10066	Trust: 1.6
url:	http://www.securityfocus.com/bid/66181	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2536	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2536	Trust: 0.8
url:	http://www.mcafee.com/us/	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10066	Trust: 0.1

sources: VULHUB: VHN-70475 // BID: 66181 // JVNDB: JVNDB-2014-001746 // CNNVD: CNNVD-201403-346 // NVD: CVE-2014-2536

CREDITS

Andrea Micalizzi, aka rgod, HP's Zero Day Initiative.

Trust: 0.3

sources: BID: 66181

SOURCES

db:	VULHUB	id:	VHN-70475
db:	BID	id:	66181
db:	JVNDB	id:	JVNDB-2014-001746
db:	CNNVD	id:	CNNVD-201403-346
db:	NVD	id:	CVE-2014-2536

LAST UPDATE DATE

2025-04-13T23:39:11.871000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-70475	date:	2014-04-01T00:00:00
db:	BID	id:	66181	date:	2014-04-08T16:09:00
db:	JVNDB	id:	JVNDB-2014-001746	date:	2014-03-24T00:00:00
db:	CNNVD	id:	CNNVD-201403-346	date:	2014-03-21T00:00:00
db:	NVD	id:	CVE-2014-2536	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-70475	date:	2014-03-18T00:00:00
db:	BID	id:	66181	date:	2014-03-07T00:00:00
db:	JVNDB	id:	JVNDB-2014-001746	date:	2014-03-24T00:00:00
db:	CNNVD	id:	CNNVD-201403-346	date:	2014-03-20T00:00:00
db:	NVD	id:	CVE-2014-2536	date:	2014-03-18T17:04:18.467