Insufficient Access Control in ArcSight ESM and ESM Express
CVE-2017-13987

6.5MEDIUM

Key Information:

Vendor: HP
Status: Arcsight Enterprise Security Manager
Vendor: CVE Published:; 30 September 2017

Summary

An insufficient access control vulnerability exists in ArcSight ESM and ArcSight ESM Express, impacting specific versions that permit unauthorized users to download log files. This exposure can lead to potential information leaks, putting sensitive data at risk. Users running ArcSight ESM versions prior to 6.9.1c Patch 4 and ArcSight ESM Express version 6.11.0 Patch 1 should take precautions to mitigate unauthorized access.

References

https://softwaresupport.hpe.com/km/KM02944672

x_refsource_CONFIRM

http://www.securityfocus.com/bid/100935

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 30, 2017
Vulnerability Reserved
Aug 30, 2017