Details of VAR-201803-1586

ID

VAR-201803-1586

CVE

CVE-2018-0207

TITLE

Cisco Secure Access Control Server Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2018-002593

DESCRIPTION

A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595. Vendors have confirmed this vulnerability Bug ID CSCve70595 It is released as.Information may be obtained. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks

Trust: 1.98

sources: NVD: CVE-2018-0207 // JVNDB: JVNDB-2018-002593 // BID: 103343 // VULHUB: VHN-118409

AFFECTED PRODUCTS

vendor:	cisco	model:	secure access control server solution engine	scope:	eq	version:	5.8\(0.8\)	Trust: 1.6
vendor:	cisco	model:	secure access control server solution engine	scope:	lt	version:	5.8 patch 9	Trust: 0.8
vendor:	cisco	model:	secure access control server solution engine	scope:	eq	version:	5.8(0.8)	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	-	version:	-	Trust: 0.3

sources: BID: 103343 // JVNDB: JVNDB-2018-002593 // CNNVD: CNNVD-201803-260 // NVD: CVE-2018-0207

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0207
value:	LOW
Trust: 1.0
NVD:	CVE-2018-0207
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-201803-260
value:	LOW
Trust: 0.6
VULHUB:	VHN-118409
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-0207
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-118409
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0207
baseSeverity:	LOW
baseScore:	3.3
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2018-0207
baseSeverity:	LOW
baseScore:	3.3
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-118409 // JVNDB: JVNDB-2018-002593 // CNNVD: CNNVD-201803-260 // NVD: CVE-2018-0207

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.9
problemtype:	CWE-611	Trust: 1.1

sources: VULHUB: VHN-118409 // JVNDB: JVNDB-2018-002593 // NVD: CVE-2018-0207

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201803-260

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201803-260

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-002593

PATCH

title:	cisco-sa-20180307-acs	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs	Trust: 0.8
title:	Cisco Secure Access Control Server Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78993	Trust: 0.6

sources: JVNDB: JVNDB-2018-002593 // CNNVD: CNNVD-201803-260

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0207	Trust: 2.8
db:	BID	id:	103343	Trust: 2.0
db:	SECTRACK	id:	1040470	Trust: 1.7
db:	JVNDB	id:	JVNDB-2018-002593	Trust: 0.8
db:	CNNVD	id:	CNNVD-201803-260	Trust: 0.7
db:	VULHUB	id:	VHN-118409	Trust: 0.1

sources: VULHUB: VHN-118409 // BID: 103343 // JVNDB: JVNDB-2018-002593 // CNNVD: CNNVD-201803-260 // NVD: CVE-2018-0207

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180307-acs	Trust: 2.0
url:	http://www.securityfocus.com/bid/103343	Trust: 1.7
url:	http://www.securitytracker.com/id/1040470	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0207	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0207	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-118409 // BID: 103343 // JVNDB: JVNDB-2018-002593 // CNNVD: CNNVD-201803-260 // NVD: CVE-2018-0207

CREDITS

Mikhail Klyuchnikov from Positive Technologies.

Trust: 0.3

sources: BID: 103343

SOURCES

db:	VULHUB	id:	VHN-118409
db:	BID	id:	103343
db:	JVNDB	id:	JVNDB-2018-002593
db:	CNNVD	id:	CNNVD-201803-260
db:	NVD	id:	CVE-2018-0207

LAST UPDATE DATE

2024-11-23T22:12:38.255000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118409	date:	2020-09-04T00:00:00
db:	BID	id:	103343	date:	2018-03-07T00:00:00
db:	JVNDB	id:	JVNDB-2018-002593	date:	2018-04-20T00:00:00
db:	CNNVD	id:	CNNVD-201803-260	date:	2020-10-22T00:00:00
db:	NVD	id:	CVE-2018-0207	date:	2024-11-21T03:37:43.990

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118409	date:	2018-03-08T00:00:00
db:	BID	id:	103343	date:	2018-03-07T00:00:00
db:	JVNDB	id:	JVNDB-2018-002593	date:	2018-04-20T00:00:00
db:	CNNVD	id:	CNNVD-201803-260	date:	2018-03-09T00:00:00
db:	NVD	id:	CVE-2018-0207	date:	2018-03-08T07:29:00.427