CVE-2014-3402 : The authentication-manager process in the web framework in Cisco Intrusion Preve

The authentication-manager process in the web framework in Cisco Intrusion Prevention System (IPS) 7.0(8)E4 and earlier in Cisco Intrusion Detection System (IDS) does not properly manage user tokens, which allows remote attackers to cause a denial of service (temporary MainApp hang) via a crafted connection request to the management interface, aka Bug ID CSCuq39550.

Published 2014-10-10 10:55:07

Updated 2025-04-12 10:46:41

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2014-3402

Cisco » Intrusion Prevention System
Versions up to, including, (<=) 7.0\(8\)e4
cpe:2.3:a:cisco:intrusion_prevention_system:*:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0
cpe:2.3:a:cisco:intrusion_prevention_system:7.0:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0(3)e4
cpe:2.3:a:cisco:intrusion_prevention_system:7.0\(3\)e4:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0(4)e4
cpe:2.3:a:cisco:intrusion_prevention_system:7.0\(4\)e4:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0(5a)e4
cpe:2.3:a:cisco:intrusion_prevention_system:7.0\(5a\)e4:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0(6)e4
cpe:2.3:a:cisco:intrusion_prevention_system:7.0\(6\)e4:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0(7)e4
cpe:2.3:a:cisco:intrusion_prevention_system:7.0\(7\)e4:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0(2)e3
cpe:2.3:a:cisco:intrusion_prevention_system:7.0\(2\)e3:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0(2)e4
cpe:2.3:a:cisco:intrusion_prevention_system:7.0\(2\)e4:*:*:*:*:*:*:*
Matching versions
Cisco » Intrusion Prevention System » Version: 7.0(1)e3
cpe:2.3:a:cisco:intrusion_prevention_system:7.0\(1\)e3:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-3402

EPSS FAQ

0.47%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-3402

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2014-3402

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-3402

http://tools.cisco.com/security/center/viewAlert.x?alertId=36014

Cisco Intrusion Prevention System MainApp Denial of Service Vulnerability
Vendor Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3402

Cisco Intrusion Prevention System MainApp Denial of Service Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2014-3402

Products affected by CVE-2014-3402

Exploit prediction scoring system (EPSS) score for CVE-2014-3402

CVSS scores for CVE-2014-3402

CWE ids for CVE-2014-3402

References for CVE-2014-3402