Sign-up

ID

VAR-201702-0802


CVE

CVE-2017-3835


TITLE

Cisco Identity Services Engine In the sponsor portal SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-001685

DESCRIPTION

A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users, because of SQL Injection. More Information: CSCvb15627. Known Affected Releases: 1.4(0.908). A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is being tracked by Cisco Bug ID CSCvb15627. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. The vulnerability stems from the fact that the program does not adequately filter the data submitted by users. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP POST request to an affected system to view or delete other users' notifications

Trust: 1.98

sources: NVD: CVE-2017-3835 // JVNDB: JVNDB-2017-001685 // BID: 96249 // VULHUB: VHN-112038

AFFECTED PRODUCTS

vendor:ciscomodel:identity services engine softwarescope:eqversion:1.4\(0.908\)

Trust: 1.6

vendor:ciscomodel:identity services engine softwarescope:eqversion:1.4(0.908)

Trust: 0.8

vendor:ciscomodel:identity services enginescope:eqversion:1.4(0.908)

Trust: 0.3

sources: BID: 96249 // JVNDB: JVNDB-2017-001685 // NVD: CVE-2017-3835 // CNNVD: CNNVD-201702-669

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2017-3835
value: HIGH

Trust: 1.8

CNNVD: CNNVD-201702-669
value: MEDIUM

Trust: 0.6

VULHUB: VHN-112038
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2017-3835
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-112038
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: CVE-2017-3835
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-112038 // JVNDB: JVNDB-2017-001685 // NVD: CVE-2017-3835 // CNNVD: CNNVD-201702-669

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-112038 // JVNDB: JVNDB-2017-001685 // NVD: CVE-2017-3835

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-669

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201702-669

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2017-3835

PATCH
title:cisco-sa-20170215-iseurl:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-ise
Trust: 0.8
title:Cisco Identity Services Engine SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68162
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-001685 // 
            
            
            
            CNNVD: CNNVD-201702-669

EXTERNAL IDS
db:NVDid:CVE-2017-3835
Trust: 2.8
db:BIDid:96249
Trust: 2.0
db:SECTRACKid:1037841
Trust: 1.1
db:JVNDBid:JVNDB-2017-001685
Trust: 0.8
db:CNNVDid:CNNVD-201702-669
Trust: 0.7
db:VULHUBid:VHN-112038
Trust: 0.1
sources:
            
            
            VULHUB: VHN-112038 // 
            
            
            
            BID: 96249 // 
            
            
            
            JVNDB: JVNDB-2017-001685 // 
            
            
            
            NVD: CVE-2017-3835 // 
            
            
            
            CNNVD: CNNVD-201702-669

REFERENCES
url:http://www.securityfocus.com/bid/96249
Trust: 1.7
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-ise
Trust: 1.7
url:http://www.securitytracker.com/id/1037841
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3835
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-3835
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-ise 
Trust: 0.3
sources:
            
            
            VULHUB: VHN-112038 // 
            
            
            
            BID: 96249 // 
            
            
            
            JVNDB: JVNDB-2017-001685 // 
            
            
            
            NVD: CVE-2017-3835 // 
            
            
            
            CNNVD: CNNVD-201702-669

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 96249

SOURCES
db:VULHUBid:VHN-112038
db:BIDid:96249
db:JVNDBid:JVNDB-2017-001685
db:NVDid:CVE-2017-3835
db:CNNVDid:CNNVD-201702-669

LAST UPDATE DATE
2023-12-18T13:19:37.241000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-112038date:2017-07-25T00:00:00
db:BIDid:96249date:2017-03-07T03:05:00
db:JVNDBid:JVNDB-2017-001685date:2017-03-13T00:00:00
db:NVDid:CVE-2017-3835date:2017-07-25T01:29:09.090
db:CNNVDid:CNNVD-201702-669date:2017-02-21T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-112038date:2017-02-22T00:00:00
db:BIDid:96249date:2017-02-15T00:00:00
db:JVNDBid:JVNDB-2017-001685date:2017-03-13T00:00:00
db:NVDid:CVE-2017-3835date:2017-02-22T02:59:00.387
db:CNNVDid:CNNVD-201702-669date:2017-02-21T00:00:00