CVE-2018-0335 : A vulnerability in the web portal authentication process of Cisco Prime Collabor

A vulnerability in the web portal authentication process of Cisco Prime Collaboration Provisioning could allow an unauthenticated, local attacker to view sensitive data. The vulnerability is due to improper logging of authentication data. An attacker could exploit this vulnerability by monitoring a specific World-Readable file for this authentication data (Cleartext Passwords). An exploit could allow the attacker to gain authentication information for other users. Cisco Bug IDs: CSCvd86602.

Published 2018-06-07 21:29:01

Updated 2019-10-09 23:31:48

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2018-0335

Cisco » Prime Collaboration » Version: 12.2
cpe:2.3:a:cisco:prime_collaboration:12.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-0335

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-0335

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-0335

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: ykramarz@cisco.com (Secondary)
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Assigned by: nvd@nist.gov (Primary)
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-0335

http://www.securityfocus.com/bid/104473

Cisco Prime Collaboration Provisioning CVE-2018-0335 Local Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cpcp-id

Cisco Prime Collaboration Provisioning Cleartext Passwords Written to World-Readable File Vulnerability
Vendor Advisory
http://www.securitytracker.com/id/1041069

Cisco Prime Collaboration Provisioning Plaintext Password Logging Lets Local Users View Passwords - SecurityTracker
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2018-0335

Products affected by CVE-2018-0335

Exploit prediction scoring system (EPSS) score for CVE-2018-0335

CVSS scores for CVE-2018-0335

CWE ids for CVE-2018-0335

References for CVE-2018-0335