CVE-2018-0451 - Vulnerability Details - OpenCVE

A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Cisco	Tetration Analytics

Configuration 1 [-]

OR	cpe:2.3:a:cisco:tetration_analytics:2.0\(2.20\):::::::*
	cpe:2.3:a:cisco:tetration_analytics:2.1\(1.31\):::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/105270
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns

History

Tue, 26 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2018-10-05T14:00:00Z

Updated: 2024-11-26T14:41:19.569Z

Reserved: 2017-11-27T00:00:00

Link: CVE-2018-0451

Vulnrichment

Updated: 2024-08-05T03:28:10.386Z

NVD

Status : Modified

Published: 2018-10-05T14:29:03.137

Modified: 2024-11-21T03:38:15.523

Link: CVE-2018-0451

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Cisco Tetration Analytics", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-09-05T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-10-07T09:57:02", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20180905 Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns"}, {"name": "105270", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105270"}], "source": {"advisory": "cisco-sa-20180905-tetration-vulns", "defect": [["CSCvh97957"]], "discovery": "UNKNOWN"}, "title": "Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2018-09-05T16:00:00-0500", "ID": "CVE-2018-0451", "STATE": "PUBLIC", "TITLE": "Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Tetration Analytics", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user."}]}, "impact": {"cvss": {"baseScore": "4.6", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352"}]}]}, "references": {"reference_data": [{"name": "20180905 Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns"}, {"name": "105270", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105270"}]}, "source": {"advisory": "cisco-sa-20180905-tetration-vulns", "defect": [["CSCvh97957"]], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:28:10.386Z"}, "title": "CVE Program Container", "references": [{"name": "20180905 Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns"}, {"name": "105270", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105270"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-25T18:51:29.264455Z", "id": "CVE-2018-0451", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-26T14:41:19.569Z"}}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2018-0451", "datePublished": "2018-10-05T14:00:00Z", "dateReserved": "2017-11-27T00:00:00", "dateUpdated": "2024-11-26T14:41:19.569Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns", "name": "20180905 Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"]}, {"url": "http://www.securityfocus.com/bid/105270", "name": "105270", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:28:10.386Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-0451", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-25T18:51:29.264455Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-25T18:53:15.697Z"}}], "cna": {"title": "Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "source": {"defect": [["CSCvh97957"]], "advisory": "cisco-sa-20180905-tetration-vulns", "discovery": "UNKNOWN"}, "affected": [{"vendor": "Cisco", "product": "Cisco Tetration Analytics", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-09-05T00:00:00", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns", "name": "20180905 Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"]}, {"url": "http://www.securityfocus.com/bid/105270", "name": "105270", "tags": ["vdb-entry", "x_refsource_BID"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352"}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2018-10-07T09:57:02"}, "x_legacyV4Record": {"impact": {"cvss": {"version": "3.0", "baseScore": "4.6"}}, "source": {"defect": [["CSCvh97957"]], "advisory": "cisco-sa-20180905-tetration-vulns", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "Cisco Tetration Analytics"}]}, "vendor_name": "Cisco"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns", "name": "20180905 Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "refsource": "CISCO"}, {"url": "http://www.securityfocus.com/bid/105270", "name": "105270", "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2018-0451", "STATE": "PUBLIC", "TITLE": "Cisco Tetration Analytics Cross-Site Request Forgery Vulnerability", "ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2018-09-05T16:00:00-0500"}}}}, "cveMetadata": {"cveId": "CVE-2018-0451", "state": "PUBLISHED", "dateUpdated": "2024-11-26T14:41:19.569Z", "dateReserved": "2017-11-27T00:00:00", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2018-10-05T14:00:00Z", "assignerShortName": "cisco"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:tetration_analytics:2.0\\(2.20\\):*:*:*:*:*:*:*", "matchCriteriaId": "817C1C18-1C10-4131-B338-ED1974834A00", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:tetration_analytics:2.1\\(1.31\\):*:*:*:*:*:*:*", "matchCriteriaId": "6D28D2A2-D3CA-4A42-BFF6-EF822C86FEFB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de gesti\u00f3n basada en web de Cisco Tetration Analytics podr\u00eda permitir que un atacante remoto autenticado lleve a cabo un ataque de Cross-Site Request Forgery (CSRF) y realice acciones arbitrarias en un dispositivo afectado. La vulnerabilidad se debe a las medidas de protecci\u00f3n contra CSRF insuficientes para la interfaz de administraci\u00f3n web de un dispositivo afectado. Un atacante podr\u00eda explotar esta vulnerabilidad haciendo que un usuario de la interfaz siga un enlace personalizado. Su explotaci\u00f3n con \u00e9xito podr\u00eda permitir que el atacante realice acciones arbitrarias en un dispositivo afectado mediante un navegador web y con los privilegios del usuario."}], "id": "CVE-2018-0451", "lastModified": "2024-11-21T03:38:15.523", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-05T14:29:03.137", "references": [{"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105270"}, {"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105270"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-tetration-vulns"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "ykramarz@cisco.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}