CVE-2015-4219 : Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) a

Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331.

Published 2015-06-24 10:59:13

Updated 2016-12-29 13:19:19

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2015-4219

Cisco » Secure Access Control System
Versions up to, including, (<=) 5.4.0.46.1
cpe:2.3:a:cisco:secure_access_control_system:*:*:*:*:*:*:*:*
Matching versions
Cisco » Secure Access Control System » Version: 5.3.0.40.5
cpe:2.3:a:cisco:secure_access_control_system:5.3.0.40.5:*:*:*:*:*:*:*
Matching versions
Cisco » Identity Services Engine Software » Version: 1.0.4.573
cpe:2.3:a:cisco:identity_services_engine_software:1.0.4.573:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-4219

EPSS FAQ

0.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 56 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-4219

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2015-4219

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)
CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-4219

http://www.securitytracker.com/id/1032714

Cisco Identity Services Engine Access Control Flaw Lets Remote Authenticated Users Access Data - SecurityTracker
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/75379

Multiple Cisco Products CVE-2015-4219 Unauthorized Access Vulnerability
Third Party Advisory;VDB Entry
http://www.securitytracker.com/id/1032713

Cisco Secure Access Control Server Access Control Flaw Lets Remote Authenticated Users Access Data - SecurityTracker
Third Party Advisory;VDB Entry
http://tools.cisco.com/security/center/viewAlert.x?alertId=39501

Cisco Identity Services Engine and Secure Access Control System Support Bundle Download Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2015-4219

Products affected by CVE-2015-4219

Exploit prediction scoring system (EPSS) score for CVE-2015-4219

CVSS scores for CVE-2015-4219

CWE ids for CVE-2015-4219

References for CVE-2015-4219