CVE-2018-0121 : A vulnerability in the authentication functionality of the web-based service por

A vulnerability in the authentication functionality of the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The vulnerability is due to improper security restrictions that are imposed by the web-based service portal of the affected software. An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal. A successful exploit could allow the attacker to bypass authentication and gain administrator privileges for the web-based service portal of the affected software. This vulnerability affects Cisco Elastic Services Controller Software Release 3.0.0. Cisco Bug IDs: CSCvg29809.

Published 2018-02-22 00:29:00

Updated 2019-10-09 23:31:17

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2018-0121

Cisco » Elastic Services Controller » Version: 3.0.0
cpe:2.3:a:cisco:elastic_services_controller:3.0.0:*:*:*:*:*:*:*
Matching versions
Cisco » Virtual Managed Services » Version: 3.0
cpe:2.3:a:cisco:virtual_managed_services:3.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-0121

EPSS FAQ

6.66%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 90 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-0121

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-0121

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)

References for CVE-2018-0121

http://www.securityfocus.com/bid/103113

Cisco Elastic Services Controller Software CVE-2018-0121 Authentication Bypass Vulnerability
Third Party Advisory;VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc

Cisco Elastic Services Controller Service Portal Authentication Bypass Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2018-0121

Products affected by CVE-2018-0121

Exploit prediction scoring system (EPSS) score for CVE-2018-0121

CVSS scores for CVE-2018-0121

CWE ids for CVE-2018-0121

References for CVE-2018-0121