Details of VAR-201710-0634

ID

VAR-201710-0634

CVE

CVE-2017-12251

TITLE

Cisco Cloud Services Platform 2100 Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-009471

DESCRIPTION

A vulnerability in the web console of the Cisco Cloud Services Platform (CSP) 2100 could allow an authenticated, remote attacker to interact maliciously with the services or virtual machines (VMs) operating remotely on an affected CSP device. The vulnerability is due to weaknesses in the generation of certain authentication mechanisms in the URL of the web console. An attacker could exploit this vulnerability by browsing to one of the hosted VMs' URLs in Cisco CSP and viewing specific patterns that control the web application's mechanisms for authentication control. An exploit could allow the attacker to access a specific VM on the CSP, which causes a complete loss of the system's confidentiality, integrity, and availability. This vulnerability affects Cisco Cloud Services Platform (CSP) 2100 running software release 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, or 2.2.2. Cisco Bug IDs: CSCve64690. Vendors have confirmed this vulnerability Bug ID CSCve64690 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to bypass the security mechanism and gain unauthorized access. This may lead to further attacks. web console is one of the web console programs

Trust: 2.07

sources: NVD: CVE-2017-12251 // JVNDB: JVNDB-2017-009471 // BID: 101487 // VULHUB: VHN-102755 // VULMON: CVE-2017-12251

AFFECTED PRODUCTS

vendor:	cisco	model:	cloud services platform 2100	scope:	eq	version:	2.1.0	Trust: 2.4
vendor:	cisco	model:	cloud services platform 2100	scope:	eq	version:	2.1.1	Trust: 2.4
vendor:	cisco	model:	cloud services platform 2100	scope:	eq	version:	2.1.2	Trust: 2.4
vendor:	cisco	model:	cloud services platform 2100	scope:	eq	version:	2.2.0	Trust: 2.4
vendor:	cisco	model:	cloud services platform 2100	scope:	eq	version:	2.2.1	Trust: 2.4
vendor:	cisco	model:	cloud services platform 2100	scope:	eq	version:	2.2.2	Trust: 2.4
vendor:	cisco	model:	cloud services platform	scope:	eq	version:	21002.2.2	Trust: 0.3
vendor:	cisco	model:	cloud services platform	scope:	eq	version:	21002.2.1	Trust: 0.3
vendor:	cisco	model:	cloud services platform	scope:	eq	version:	21002.2	Trust: 0.3
vendor:	cisco	model:	cloud services platform	scope:	eq	version:	21002.1.2	Trust: 0.3
vendor:	cisco	model:	cloud services platform	scope:	eq	version:	21002.1.1	Trust: 0.3
vendor:	cisco	model:	cloud services platform	scope:	eq	version:	21002.1	Trust: 0.3
vendor:	cisco	model:	cloud services platform	scope:	eq	version:	21002.2(2)	Trust: 0.3
vendor:	cisco	model:	cloud services platform	scope:	eq	version:	21002.2(0)	Trust: 0.3
vendor:	cisco	model:	cloud services platform	scope:	ne	version:	21002.2(3)	Trust: 0.3

sources: BID: 101487 // JVNDB: JVNDB-2017-009471 // CNNVD: CNNVD-201710-889 // NVD: CVE-2017-12251

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12251
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-12251
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201710-889
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-102755
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-12251
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12251
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-102755
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12251
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102755 // VULMON: CVE-2017-12251 // JVNDB: JVNDB-2017-009471 // CNNVD: CNNVD-201710-889 // NVD: CVE-2017-12251

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-287	Trust: 1.1

sources: VULHUB: VHN-102755 // JVNDB: JVNDB-2017-009471 // NVD: CVE-2017-12251

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-889

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201710-889

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009471

PATCH

title:	cisco-sa-20171018-ccs	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-ccs	Trust: 0.8
title:	Cisco Cloud Services Platform 2100 web console Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100117	Trust: 0.6
title:	Cisco: Cisco Cloud Services Platform 2100 Unauthorized Access Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20171018-ccs	Trust: 0.1

sources: VULMON: CVE-2017-12251 // JVNDB: JVNDB-2017-009471 // CNNVD: CNNVD-201710-889

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12251	Trust: 2.9
db:	BID	id:	101487	Trust: 2.1
db:	SECTRACK	id:	1039613	Trust: 1.8
db:	JVNDB	id:	JVNDB-2017-009471	Trust: 0.8
db:	CNNVD	id:	CNNVD-201710-889	Trust: 0.7
db:	VULHUB	id:	VHN-102755	Trust: 0.1
db:	VULMON	id:	CVE-2017-12251	Trust: 0.1

sources: VULHUB: VHN-102755 // VULMON: CVE-2017-12251 // BID: 101487 // JVNDB: JVNDB-2017-009471 // CNNVD: CNNVD-201710-889 // NVD: CVE-2017-12251

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171018-ccs	Trust: 2.2
url:	http://www.securityfocus.com/bid/101487	Trust: 1.9
url:	http://www.securitytracker.com/id/1039613	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12251	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12251	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-102755 // VULMON: CVE-2017-12251 // BID: 101487 // JVNDB: JVNDB-2017-009471 // CNNVD: CNNVD-201710-889 // NVD: CVE-2017-12251

CREDITS

Chris Day

Trust: 0.3

sources: BID: 101487

SOURCES

db:	VULHUB	id:	VHN-102755
db:	VULMON	id:	CVE-2017-12251
db:	BID	id:	101487
db:	JVNDB	id:	JVNDB-2017-009471
db:	CNNVD	id:	CNNVD-201710-889
db:	NVD	id:	CVE-2017-12251

LAST UPDATE DATE

2025-04-20T23:15:53.416000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102755	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2017-12251	date:	2019-10-09T00:00:00
db:	BID	id:	101487	date:	2017-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-009471	date:	2017-11-13T00:00:00
db:	CNNVD	id:	CNNVD-201710-889	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12251	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102755	date:	2017-10-19T00:00:00
db:	VULMON	id:	CVE-2017-12251	date:	2017-10-19T00:00:00
db:	BID	id:	101487	date:	2017-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-009471	date:	2017-11-13T00:00:00
db:	CNNVD	id:	CNNVD-201710-889	date:	2017-10-19T00:00:00
db:	NVD	id:	CVE-2017-12251	date:	2017-10-19T08:29:00.217