This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Cisco First view 2014-01-16
Product Secure Access Control System Last view 2018-03-08
Version 5.2(0.3) Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:cisco:secure_access_control_system

Activity : Overall

Related : CVE

  Date Alert Description
9.8 2018-03-08 CVE-2018-0147

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988.

4 2015-06-24 CVE-2015-4219

Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331.

6.5 2015-02-11 CVE-2015-0580

Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System (ACS) before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027.

10 2014-01-16 CVE-2014-0650

The web interface in Cisco Secure Access Control System (ACS) 5.x before 5.4 Patch 3 allows remote attackers to execute arbitrary operating-system commands via a request to this interface, aka Bug ID CSCue65962.

9 2014-01-16 CVE-2014-0649

The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authorization requirements, which allows remote authenticated users to obtain superadmin access via a request to this interface, aka Bug ID CSCud75180.

10 2014-01-16 CVE-2014-0648

The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authorization requirements, which allows remote attackers to obtain administrative access via a request to this interface, aka Bug ID CSCud75187.

CWE : Common Weakness Enumeration

%idName
42% (3) CWE-264 Permissions, Privileges, and Access Controls
14% (1) CWE-502 Deserialization of Untrusted Data
14% (1) CWE-200 Information Exposure
14% (1) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
14% (1) CWE-20 Improper Input Validation

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0040 Cisco Secure Access Control System (ACS) SQL Injection Vulnerability
Severity: Category I - VMSKEY: V0058909
2014-A-0014 Multiple Vulnerabilities in Cisco Secure Access Control System (ACS)
Severity: Category I - VMSKEY: V0043619

Snort® IPS/IDS

Date Description
2020-12-05 Cisco ACS unsafe Java object deserialization attempt
RuleID : 45870 - Type : SERVER-WEBAPP - Revision : 1

Nessus® Vulnerability Scanner

id Description
2018-03-16 Name: The remote host is missing a vendor-supplied security patch.
File: cisco-sa-20180307-acs2.nasl - Type: ACT_GATHER_INFO
2015-02-20 Name: The remote host is missing a vendor-supplied security patch.
File: cisco-sa-20150211-csacs.nasl - Type: ACT_GATHER_INFO
2014-01-16 Name: The remote host is missing a vendor-supplied security patch.
File: cisco-sa-20140115-csacs.nasl - Type: ACT_GATHER_INFO