Vulnerability Details : CVE-2014-3338
The CTIManager module in Cisco Unified Communications Manager (CM) 10.0(1), when single sign-on is enabled, does not properly validate Kerberos SSO tokens, which allows remote authenticated users to gain privileges and execute arbitrary commands via crafted token data, aka Bug ID CSCum95491.
Products affected by CVE-2014-3338
- cpe:2.3:a:cisco:unified_communications_manager:10.0\(1\):*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3338
1.84%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3338
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.5
|
HIGH | AV:N/AC:M/Au:S/C:C/I:C/A:C |
6.8
|
10.0
|
NIST |
CWE ids for CVE-2014-3338
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3338
-
http://www.securityfocus.com/bid/69176
Cisco Unified Communications Manager CVE-2014-3338 Command Injection Vulnerability
-
http://secunia.com/advisories/60054
Sign in
-
http://tools.cisco.com/security/center/viewAlert.x?alertId=35258
Cisco Unified Communications Manager CTIManager VulnerabilityVendor Advisory
-
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3338
Cisco Unified Communications Manager CTIManager VulnerabilityVendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95246
Cisco Unified Communications Manager SSO tokens command execution CVE-2014-3338 Vulnerability Report
-
http://www.securitytracker.com/id/1030710
Cisco Unified Communications Manager Kerberos SSO Token Processing Flaw Lets Remote Authenticated Users Execute Arbitrary Commands - SecurityTracker
Jump to