Details of VAR-201802-0598

ID

VAR-201802-0598

CVE

CVE-2018-0130

TITLE

Cisco Elastic Services Controller Software Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-002468

DESCRIPTION

A vulnerability in the use of JSON web tokens by the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to gain administrative access to an affected system. The vulnerability is due to the presence of static default credentials for the web-based service portal of the affected software. An attacker could exploit this vulnerability by extracting the credentials from an image of the affected software and using those credentials to generate a valid administrative session token for the web-based service portal of any other installation of the affected software. A successful exploit could allow the attacker to gain administrative access to the web-based service portal of an affected system. This vulnerability affects Cisco Elastic Services Controller Software Release 3.0.0. Cisco Bug IDs: CSCvg30884. Vendors have confirmed this vulnerability Bug ID CSCvg30884 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This may lead to further attacks. service portal is one of the web-based business system portals

Trust: 1.98

sources: NVD: CVE-2018-0130 // JVNDB: JVNDB-2018-002468 // BID: 103116 // VULHUB: VHN-118332

AFFECTED PRODUCTS

vendor:	cisco	model:	virtual managed services	scope:	eq	version:	3.0	Trust: 1.9
vendor:	cisco	model:	virtual managed service	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	elastic services controller	scope:	eq	version:	3.0.0	Trust: 0.3
vendor:	cisco	model:	elastic services controller	scope:	ne	version:	3.1.0	Trust: 0.3

sources: BID: 103116 // JVNDB: JVNDB-2018-002468 // CNNVD: CNNVD-201802-440 // NVD: CVE-2018-0130

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0130
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-0130
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201802-440
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-118332
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-0130
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-118332
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0130
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-118332 // JVNDB: JVNDB-2018-002468 // CNNVD: CNNVD-201802-440 // NVD: CVE-2018-0130

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-1188	Trust: 1.0

sources: VULHUB: VHN-118332 // JVNDB: JVNDB-2018-002468 // NVD: CVE-2018-0130

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201802-440

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201802-440

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-002468

PATCH

title:	cisco-sa-20180221-esc1	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc1	Trust: 0.8
title:	Cisco Elastic Services Controller Software Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78519	Trust: 0.6

sources: JVNDB: JVNDB-2018-002468 // CNNVD: CNNVD-201802-440

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0130	Trust: 2.8
db:	BID	id:	103116	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-002468	Trust: 0.8
db:	CNNVD	id:	CNNVD-201802-440	Trust: 0.7
db:	VULHUB	id:	VHN-118332	Trust: 0.1

sources: VULHUB: VHN-118332 // BID: 103116 // JVNDB: JVNDB-2018-002468 // CNNVD: CNNVD-201802-440 // NVD: CVE-2018-0130

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180221-esc1	Trust: 2.6
url:	http://www.securityfocus.com/bid/103116	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0130	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0130	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-118332 // BID: 103116 // JVNDB: JVNDB-2018-002468 // CNNVD: CNNVD-201802-440 // NVD: CVE-2018-0130

CREDITS

This vulnerability was found during internal security testing.

Trust: 0.6

sources: CNNVD: CNNVD-201802-440

SOURCES

db:	VULHUB	id:	VHN-118332
db:	BID	id:	103116
db:	JVNDB	id:	JVNDB-2018-002468
db:	CNNVD	id:	CNNVD-201802-440
db:	NVD	id:	CVE-2018-0130

LAST UPDATE DATE

2024-11-23T22:17:39.430000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118332	date:	2019-10-09T00:00:00
db:	BID	id:	103116	date:	2018-02-21T00:00:00
db:	JVNDB	id:	JVNDB-2018-002468	date:	2018-04-13T00:00:00
db:	CNNVD	id:	CNNVD-201802-440	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0130	date:	2024-11-21T03:37:34.870

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118332	date:	2018-02-22T00:00:00
db:	BID	id:	103116	date:	2018-02-21T00:00:00
db:	JVNDB	id:	JVNDB-2018-002468	date:	2018-04-13T00:00:00
db:	CNNVD	id:	CNNVD-201802-440	date:	2018-02-22T00:00:00
db:	NVD	id:	CVE-2018-0130	date:	2018-02-22T00:29:00.313