Details of VAR-201810-0295

ID

VAR-201810-0295

CVE

CVE-2018-0414

TITLE

Cisco Secure Access Control Server In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2018-013280

DESCRIPTION

A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. This issue is being tracked by Cisco bug ID CSCvi85318

Trust: 1.98

sources: NVD: CVE-2018-0414 // JVNDB: JVNDB-2018-013280 // BID: 105289 // VULHUB: VHN-118616

AFFECTED PRODUCTS

vendor:	cisco	model:	secure access control server solution engine	scope:	eq	version:	5.8	Trust: 1.6
vendor:	cisco	model:	secure access control server solution engine	scope:	lt	version:	5.8	Trust: 1.0
vendor:	cisco	model:	secure access control server solution engine	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	secure access control server solution engine	scope:	eq	version:	3.3.2	Trust: 0.6
vendor:	cisco	model:	secure access control server solution engine	scope:	eq	version:	3.3	Trust: 0.6
vendor:	cisco	model:	secure access control server solution engine	scope:	eq	version:	3.3.1	Trust: 0.6
vendor:	cisco	model:	secure access control server solution engine	scope:	eq	version:	4.0	Trust: 0.6
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.340.8	Trust: 0.3
vendor:	cisco	model:	secure access control server patch	scope:	eq	version:	5.89	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.7(0.15)	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.4	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.3	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.2.0.26.2	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.2.0.26.1	Trust: 0.3
vendor:	cisco	model:	secure access control server patch	scope:	eq	version:	5.2.0.269	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.2.0.26	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.2	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.1.0.44.5	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.1.0.44.4	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.1.0.44.3	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.1	Trust: 0.3
vendor:	cisco	model:	secure access control server	scope:	eq	version:	5.0	Trust: 0.3
vendor:	cisco	model:	secure access control server patch	scope:	ne	version:	5.810	Trust: 0.3

sources: BID: 105289 // JVNDB: JVNDB-2018-013280 // CNNVD: CNNVD-201809-283 // NVD: CVE-2018-0414

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0414
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-0414
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201809-283
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-118616
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-0414
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-118616
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0414
baseSeverity:	MEDIUM
baseScore:	5.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.1
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-118616 // JVNDB: JVNDB-2018-013280 // CNNVD: CNNVD-201809-283 // NVD: CVE-2018-0414

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.9

sources: VULHUB: VHN-118616 // JVNDB: JVNDB-2018-013280 // NVD: CVE-2018-0414

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-283

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201809-283

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013280

PATCH

title:	cisco-sa-20180905-acsxxe	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe	Trust: 0.8
title:	Cisco Secure Access Control Server Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84614	Trust: 0.6

sources: JVNDB: JVNDB-2018-013280 // CNNVD: CNNVD-201809-283

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0414	Trust: 2.8
db:	BID	id:	105289	Trust: 2.0
db:	SECTRACK	id:	1041688	Trust: 1.7
db:	JVNDB	id:	JVNDB-2018-013280	Trust: 0.8
db:	CNNVD	id:	CNNVD-201809-283	Trust: 0.7
db:	VULHUB	id:	VHN-118616	Trust: 0.1

sources: VULHUB: VHN-118616 // BID: 105289 // JVNDB: JVNDB-2018-013280 // CNNVD: CNNVD-201809-283 // NVD: CVE-2018-0414

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180905-acsxxe	Trust: 2.0
url:	http://www.securityfocus.com/bid/105289	Trust: 1.7
url:	http://www.securitytracker.com/id/1041688	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0414	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0414	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-118616 // BID: 105289 // JVNDB: JVNDB-2018-013280 // CNNVD: CNNVD-201809-283 // NVD: CVE-2018-0414

CREDITS

Piotr Domirski

Trust: 0.3

sources: BID: 105289

SOURCES

db:	VULHUB	id:	VHN-118616
db:	BID	id:	105289
db:	JVNDB	id:	JVNDB-2018-013280
db:	CNNVD	id:	CNNVD-201809-283
db:	NVD	id:	CVE-2018-0414

LAST UPDATE DATE

2024-11-23T22:51:59.251000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118616	date:	2019-10-09T00:00:00
db:	BID	id:	105289	date:	2018-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-013280	date:	2019-02-18T00:00:00
db:	CNNVD	id:	CNNVD-201809-283	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0414	date:	2024-11-21T03:38:10.757

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118616	date:	2018-10-05T00:00:00
db:	BID	id:	105289	date:	2018-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-013280	date:	2019-02-18T00:00:00
db:	CNNVD	id:	CNNVD-201809-283	date:	2018-09-06T00:00:00
db:	NVD	id:	CVE-2018-0414	date:	2018-10-05T14:29:00.497