Cisco Integrated Management Controller Supervisor and Cisco UCS Director Authenticated Web Interface Information Disclosure Vulnerability
CVE-2018-15405

6.5MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Unified Computing System Director
Vendor: CVE Published:; 5 October 2018

Summary

A vulnerability in the web interface for specific feature sets of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to an authorization check that does not properly include the access level of the web interface user. An attacker who has valid application credentials could exploit this vulnerability by sending a crafted HTTP request to the web interface. A successful exploit could allow the attacker to view sensitive information that belongs to other users. The attacker could then use this information to conduct additional reconnaissance attacks.

Affected Version(s)

Cisco Unified Computing System Director

References

http://www.securitytracker.com/id/1041779

vdb-entryx_refsource_SECTRACK

https://tools.cisco.com/security/center/content/CiscoSecu...

vendor-advisoryx_refsource_CISCO

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 5, 2018
Vulnerability Reserved
Aug 17, 2018