Sign-up

ID

VAR-201711-0301


CVE

CVE-2017-12262


TITLE

Cisco Application Policy Infrastructure Controller Enterprise Vulnerabilities related to authorization, authority, and access control in modules

Trust: 0.8

sources: JVNDB: JVNDB-2017-009869

DESCRIPTION

A vulnerability within the firewall configuration of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an unauthenticated, adjacent attacker to gain privileged access to services only available on the internal network of the device. The vulnerability is due to an incorrect firewall rule on the device. The misconfiguration could allow traffic sent to the public interface of the device to be forwarded to the internal virtual network of the APIC-EM. An attacker that is logically adjacent to the network on which the public interface of the affected APIC-EM resides could leverage this behavior to gain access to services listening on the internal network with elevated privileges. This vulnerability affects appliances or virtual devices running Cisco Application Policy Infrastructure Controller Enterprise Module prior to version 1.5. Cisco Bug IDs: CSCve89638. Vendors have confirmed this vulnerability Bug ID CSCve89638 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to bypass the security mechanism and gain unauthorized access. This may lead to further attacks

Trust: 1.98

sources: NVD: CVE-2017-12262 // JVNDB: JVNDB-2017-009869 // BID: 101647 // VULHUB: VHN-102767

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:ltversion:1.5

Trust: 1.8

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:eqversion:1.0_ga

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:eqversion:1.0.10

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:eqversion:1.0.\(1\)

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:eqversion:1.1_base

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:eqversion:1.400

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:eqversion:1.1

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:eqversion:1.0

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller enterprise modulescope:neversion:1.5

Trust: 0.3

sources: BID: 101647 // JVNDB: JVNDB-2017-009869 // CNNVD: CNNVD-201711-081 // NVD: CVE-2017-12262

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12262
value: HIGH

Trust: 1.0

NVD: CVE-2017-12262
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201711-081
value: HIGH

Trust: 0.6

VULHUB: VHN-102767
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-12262
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-102767
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12262
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-102767 // JVNDB: JVNDB-2017-009869 // CNNVD: CNNVD-201711-081 // NVD: CVE-2017-12262

PROBLEMTYPE DATA

problemtype:CWE-665

Trust: 1.1

problemtype:CWE-284

Trust: 1.0

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-102767 // JVNDB: JVNDB-2017-009869 // NVD: CVE-2017-12262

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201711-081

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201711-081

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-009869

PATCH
title:cisco-sa-20171101-apicemurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-apicem
Trust: 0.8
title:Cisco Application Policy Infrastructure Controller Enterprise Module Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76084
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-009869 // 
            
            
            
            CNNVD: CNNVD-201711-081

EXTERNAL IDS
db:NVDid:CVE-2017-12262
Trust: 2.8
db:BIDid:101647
Trust: 2.0
db:SECTRACKid:1039716
Trust: 1.7
db:JVNDBid:JVNDB-2017-009869
Trust: 0.8
db:CNNVDid:CNNVD-201711-081
Trust: 0.7
db:VULHUBid:VHN-102767
Trust: 0.1
sources:
            
            
            VULHUB: VHN-102767 // 
            
            
            
            BID: 101647 // 
            
            
            
            JVNDB: JVNDB-2017-009869 // 
            
            
            
            CNNVD: CNNVD-201711-081 // 
            
            
            
            NVD: CVE-2017-12262

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171101-apicem
Trust: 2.0
url:http://www.securityfocus.com/bid/101647
Trust: 1.7
url:http://www.securitytracker.com/id/1039716
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12262
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12262
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-102767 // 
            
            
            
            BID: 101647 // 
            
            
            
            JVNDB: JVNDB-2017-009869 // 
            
            
            
            CNNVD: CNNVD-201711-081 // 
            
            
            
            NVD: CVE-2017-12262

CREDITS
Georgi Geshev of MWR InfoSecurity.
Trust: 0.3
sources:
            
            
            BID: 101647

SOURCES
db:VULHUBid:VHN-102767
db:BIDid:101647
db:JVNDBid:JVNDB-2017-009869
db:CNNVDid:CNNVD-201711-081
db:NVDid:CVE-2017-12262

LAST UPDATE DATE
2025-04-20T23:12:45.856000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-102767date:2019-10-09T00:00:00
db:BIDid:101647date:2017-12-19T22:00:00
db:JVNDBid:JVNDB-2017-009869date:2017-11-24T00:00:00
db:CNNVDid:CNNVD-201711-081date:2019-10-17T00:00:00
db:NVDid:CVE-2017-12262date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-102767date:2017-11-02T00:00:00
db:BIDid:101647date:2017-11-01T00:00:00
db:JVNDBid:JVNDB-2017-009869date:2017-11-24T00:00:00
db:CNNVDid:CNNVD-201711-081date:2017-11-03T00:00:00
db:NVDid:CVE-2017-12262date:2017-11-02T16:29:00.253