Executive Summary
Summary | |
---|---|
Title | Cisco Device Manager Command Execution Vulnerability |
Informations | |||
---|---|---|---|
Name | cisco-sa-20130424-fmdm | First vendor Publication | 2013-04-24 |
Vendor | Cisco | Last vendor Modification | 2013-04-24 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Cisco Device Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on a client host with the privileges of the user. This vulnerability affects Cisco Device Manager for the Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches when it is installed or launched via the Java Network Launch Protocol (JNLP) on a host running Microsoft Windows. Cisco Device Manager installed or launched from Cisco Prime Data Center Network Manager (DCNM) or Cisco Fabric Manager is not affected. This vulnerability can only be exploited if the JNLP file is executed on systems running Microsoft Windows. The vulnerability affects the confidentiality, integrity, and availability of the client host performing the installation or execution of Cisco Device Manager via JNLP file. There is no impact on the Cisco MDS 9000 Family or Cisco Nexus 5000 Series Switches. Cisco has released free software updates that address this vulnerability in the Cisco Device Manager for Cisco MDS 9000 Family Switches. Cisco Nexus 5000 Series Switches have discontinued the support of the Cisco Device Manager installation via JNLP and updates are not available. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm BEGIN PGP SIGNATURE Version: GnuPG/MacGPG2 v2.0.18 (Darwin) iF4EAREKAAYFAlF30BoACgkQUddfH3/BbTqARAD/efkFacOaSLxRk1eDkaVfrALV AzYT3xCcMQuWgc/OracA/01zIEtNJKdRu3tCK010hX7w2fdPH/D/RdUF7TFo885Z =u8iM END PGP SIGNATURE _______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com |
Original Source
Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...) |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-05-31 | Name : The remote device is missing a vendor-supplied security patch. File : cisco-sa-20130424-fmdm-nxos.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 10:22:09 |
|
2013-04-25 21:20:11 |
|
2013-04-24 21:18:40 |
|