Details of VAR-201702-0806

ID

VAR-201702-0806

CVE

CVE-2017-3839

TITLE

Cisco Secure Access Control System of Web Base user interface XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-001634

DESCRIPTION

An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5). This issue is being tracked by Cisco bug ID CSCvc04845 . The system can respectively control network access and network device access through RADIUS and TACACS protocols. The vulnerability stems from the fact that the program does not correctly handle XML external entities

Trust: 1.98

sources: NVD: CVE-2017-3839 // JVNDB: JVNDB-2017-001634 // BID: 96236 // VULHUB: VHN-112042

AFFECTED PRODUCTS

vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.8\(2.5\)	Trust: 1.6
vendor:	cisco	model:	secure access control system software	scope:	eq	version:	5.8(2.5)	Trust: 0.8
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.8(2.5)	Trust: 0.3

sources: BID: 96236 // JVNDB: JVNDB-2017-001634 // NVD: CVE-2017-3839 // CNNVD: CNNVD-201702-657

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-3839
value:	MEDIUM
Trust: 1.8
CNNVD:	CNNVD-201702-657
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-112042
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2017-3839
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-112042
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.0
Trust: 1.0
NVD:	CVE-2017-3839
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-112042 // JVNDB: JVNDB-2017-001634 // NVD: CVE-2017-3839 // CNNVD: CNNVD-201702-657

PROBLEMTYPE DATA

problemtype:	CWE-611	Trust: 1.1
problemtype:	CWE-20	Trust: 0.9

sources: VULHUB: VHN-112042 // JVNDB: JVNDB-2017-001634 // NVD: CVE-2017-3839

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-657

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201702-657

CONFIGURATIONS

sources: NVD: CVE-2017-3839

PATCH

title:	cisco-sa-20170215-acs1	url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-acs1	Trust: 0.8
title:	Cisco Secure Access Control System Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68174	Trust: 0.6

sources: JVNDB: JVNDB-2017-001634 // CNNVD: CNNVD-201702-657

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3839	Trust: 2.8
db:	BID	id:	96236	Trust: 2.0
db:	SECTRACK	id:	1037836	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-001634	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-657	Trust: 0.7
db:	VULHUB	id:	VHN-112042	Trust: 0.1

sources: VULHUB: VHN-112042 // BID: 96236 // JVNDB: JVNDB-2017-001634 // NVD: CVE-2017-3839 // CNNVD: CNNVD-201702-657

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-acs1	Trust: 2.0
url:	http://www.securityfocus.com/bid/96236	Trust: 1.7
url:	http://www.securitytracker.com/id/1037836	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3839	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-3839	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-112042 // BID: 96236 // JVNDB: JVNDB-2017-001634 // NVD: CVE-2017-3839 // CNNVD: CNNVD-201702-657

CREDITS

Cisco

Trust: 0.9

sources: BID: 96236 // CNNVD: CNNVD-201702-657

SOURCES

db:	VULHUB	id:	VHN-112042
db:	BID	id:	96236
db:	JVNDB	id:	JVNDB-2017-001634
db:	NVD	id:	CVE-2017-3839
db:	CNNVD	id:	CNNVD-201702-657

LAST UPDATE DATE

2023-12-18T13:08:54.942000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112042	date:	2019-10-03T00:00:00
db:	BID	id:	96236	date:	2017-03-07T03:03:00
db:	JVNDB	id:	JVNDB-2017-001634	date:	2017-03-10T00:00:00
db:	NVD	id:	CVE-2017-3839	date:	2019-10-03T00:03:26.223
db:	CNNVD	id:	CNNVD-201702-657	date:	2019-10-23T00:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112042	date:	2017-02-22T00:00:00
db:	BID	id:	96236	date:	2017-02-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-001634	date:	2017-03-10T00:00:00
db:	NVD	id:	CVE-2017-3839	date:	2017-02-22T02:59:00.513
db:	CNNVD	id:	CNNVD-201702-657	date:	2017-02-22T00:00:00