Details of VAR-201702-0807

ID

VAR-201702-0807

CVE

CVE-2017-3840

TITLE

Cisco Secure Access Control System of Web Open redirect vulnerability in interface

Trust: 0.8

sources: JVNDB: JVNDB-2017-001635

DESCRIPTION

A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page, aka an Open Redirect Vulnerability. More Information: CSCvc04849. Known Affected Releases: 5.8(2.5). An attacker can leverage this issue to conduct phishing attacks; other attacks are possible. This issue is being tracked by Cisco Bug ID CSCvc04849. The system can respectively control network access and network device access through RADIUS and TACACS protocols

Trust: 1.98

sources: NVD: CVE-2017-3840 // JVNDB: JVNDB-2017-001635 // BID: 96238 // VULHUB: VHN-112043

AFFECTED PRODUCTS

vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.8\(2.5\)	Trust: 1.6
vendor:	cisco	model:	secure access control system software	scope:	eq	version:	5.8(2.5)	Trust: 0.8
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.8(2.5)	Trust: 0.3

sources: BID: 96238 // JVNDB: JVNDB-2017-001635 // NVD: CVE-2017-3840 // CNNVD: CNNVD-201702-659

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-3840
value:	MEDIUM
Trust: 1.8
CNNVD:	CNNVD-201702-659
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-112043
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	TRUE
version:	2.0
Trust: 1.0
NVD:	CVE-2017-3840
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-112043
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.0
NVD:	CVE-2017-3840
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-112043 // JVNDB: JVNDB-2017-001635 // NVD: CVE-2017-3840 // CNNVD: CNNVD-201702-659

PROBLEMTYPE DATA

problemtype:

CWE-601

Trust: 1.9

sources: VULHUB: VHN-112043 // JVNDB: JVNDB-2017-001635 // NVD: CVE-2017-3840

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-659

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201702-659

CONFIGURATIONS

sources: NVD: CVE-2017-3840

PATCH

title:	cisco-sa-20170215-acs2	url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-acs2	Trust: 0.8
title:	Cisco Secure Access Control System Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68172	Trust: 0.6

sources: JVNDB: JVNDB-2017-001635 // CNNVD: CNNVD-201702-659

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3840	Trust: 2.8
db:	BID	id:	96238	Trust: 2.0
db:	SECTRACK	id:	1037837	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-001635	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-659	Trust: 0.7
db:	VULHUB	id:	VHN-112043	Trust: 0.1

sources: VULHUB: VHN-112043 // BID: 96238 // JVNDB: JVNDB-2017-001635 // NVD: CVE-2017-3840 // CNNVD: CNNVD-201702-659

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-acs2	Trust: 2.0
url:	http://www.securityfocus.com/bid/96238	Trust: 1.7
url:	http://www.securitytracker.com/id/1037837	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3840	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-3840	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-112043 // BID: 96238 // JVNDB: JVNDB-2017-001635 // NVD: CVE-2017-3840 // CNNVD: CNNVD-201702-659

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 96238

SOURCES

db:	VULHUB	id:	VHN-112043
db:	BID	id:	96238
db:	JVNDB	id:	JVNDB-2017-001635
db:	NVD	id:	CVE-2017-3840
db:	CNNVD	id:	CNNVD-201702-659

LAST UPDATE DATE

2023-12-18T13:48:41.110000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112043	date:	2017-07-25T00:00:00
db:	BID	id:	96238	date:	2017-03-07T03:03:00
db:	JVNDB	id:	JVNDB-2017-001635	date:	2017-03-10T00:00:00
db:	NVD	id:	CVE-2017-3840	date:	2017-07-25T01:29:09.327
db:	CNNVD	id:	CNNVD-201702-659	date:	2017-02-22T00:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112043	date:	2017-02-22T00:00:00
db:	BID	id:	96238	date:	2017-02-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-001635	date:	2017-03-10T00:00:00
db:	NVD	id:	CVE-2017-3840	date:	2017-02-22T02:59:00.543
db:	CNNVD	id:	CNNVD-201702-659	date:	2017-02-22T00:00:00