CVE-2018-15404 - OpenCVE

A vulnerability in the web interface of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient restrictions on the size or total amount of resources allowed via the web interface. An attacker who has valid credentials for the application could exploit this vulnerability by sending a crafted or malformed HTTP request to the web interface. A successful exploit could allow the attacker to cause oversubscription of system resources or cause a component to become unresponsive, resulting in a DoS condition.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cisco	Integrated Management Controller Supervisor Unified Computing System Director

Configuration 1 [-]

cpe:2.3:a:cisco:unified_computing_system_director:6.6\(0.0\):*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:cisco:integrated_management_controller_supervisor:2.1\(0.0\):*:*:*:*:*:*:*

No data.

References

Link	Providers
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-imcs-ucsd-dos

History

No history.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2018-10-05T14:00:00Z

Updated: 2024-09-16T19:15:29.163Z

Reserved: 2018-08-17T00:00:00

Link: CVE-2018-15404

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-10-05T14:29:08.793

Modified: 2019-10-09T23:35:32.733

Link: CVE-2018-15404

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Cisco Unified Computing System Director", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-10-03T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web interface of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient restrictions on the size or total amount of resources allowed via the web interface. An attacker who has valid credentials for the application could exploit this vulnerability by sending a crafted or malformed HTTP request to the web interface. A successful exploit could allow the attacker to cause oversubscription of system resources or cause a component to become unresponsive, resulting in a DoS condition."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-399", "description": "CWE-399", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-10-05T13:57:01", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20181003 Cisco Integrated Management Controller Supervisor and Cisco UCS Director System Resources Denial of Service Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-imcs-ucsd-dos"}], "source": {"advisory": "cisco-sa-20181003-imcs-ucsd-dos", "defect": [["CSCvj95431", "CSCvk10284"]], "discovery": "UNKNOWN"}, "title": "Cisco Integrated Management Controller Supervisor and Cisco UCS Director System Resources Denial of Service Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2018-10-03T16:00:00-0500", "ID": "CVE-2018-15404", "STATE": "PUBLIC", "TITLE": "Cisco Integrated Management Controller Supervisor and Cisco UCS Director System Resources Denial of Service Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Unified Computing System Director", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web interface of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient restrictions on the size or total amount of resources allowed via the web interface. An attacker who has valid credentials for the application could exploit this vulnerability by sending a crafted or malformed HTTP request to the web interface. A successful exploit could allow the attacker to cause oversubscription of system resources or cause a component to become unresponsive, resulting in a DoS condition."}]}, "impact": {"cvss": {"baseScore": "6.5", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-399"}]}]}, "references": {"reference_data": [{"name": "20181003 Cisco Integrated Management Controller Supervisor and Cisco UCS Director System Resources Denial of Service Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-imcs-ucsd-dos"}]}, "source": {"advisory": "cisco-sa-20181003-imcs-ucsd-dos", "defect": [["CSCvj95431", "CSCvk10284"]], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:54:03.452Z"}, "title": "CVE Program Container", "references": [{"name": "20181003 Cisco Integrated Management Controller Supervisor and Cisco UCS Director System Resources Denial of Service Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-imcs-ucsd-dos"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2018-15404", "datePublished": "2018-10-05T14:00:00Z", "dateReserved": "2018-08-17T00:00:00", "dateUpdated": "2024-09-16T19:15:29.163Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:unified_computing_system_director:6.6\\(0.0\\):*:*:*:*:*:*:*", "matchCriteriaId": "DFE8E563-553A-417B-992D-AFBAF8EE0830", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:integrated_management_controller_supervisor:2.1\\(0.0\\):*:*:*:*:*:*:*", "matchCriteriaId": "9FEA6276-EEF3-4D27-B61C-EA632F6520D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web interface of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient restrictions on the size or total amount of resources allowed via the web interface. An attacker who has valid credentials for the application could exploit this vulnerability by sending a crafted or malformed HTTP request to the web interface. A successful exploit could allow the attacker to cause oversubscription of system resources or cause a component to become unresponsive, resulting in a DoS condition."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz web de Cisco Integrated Management Controller (IMC) Supervisor y Cisco UCS Director podr\u00eda permitir que un atacante remoto autenticado provoque una denegaci\u00f3n de servicio (DoS) en un sistema afectado. La vulnerabilidad se debe a las restricciones insuficientes en el tama\u00f1o o en la cantidad total de recursos permitidos mediante la interfaz web. Un atacante que cuente con credenciales v\u00e1lidas para la aplicaci\u00f3n podr\u00eda explotar esta vulnerabilidad enviando una petici\u00f3n HTTP manipulada o mal formada a la interfaz web. Su explotaci\u00f3n con \u00e9xito podr\u00eda permitir que el atacante provoque la suscripci\u00f3n excesiva de recursos del dispositivo o haga que un componente deje de responder, provocando una denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2018-15404", "lastModified": "2019-10-09T23:35:32.733", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-05T14:29:08.793", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-imcs-ucsd-dos"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-399"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}