Vulnerability Details : CVE-2018-15382
A vulnerability in Cisco HyperFlex Software could allow an unauthenticated, remote attacker to generate valid, signed session tokens. The vulnerability is due to a static signing key that is present in all Cisco HyperFlex systems. An attacker could exploit this vulnerability by accessing the static signing key from one HyperFlex system and using it to generate valid, signed session tokens for another HyperFlex system. A successful exploit could allow the attacker to access the HyperFlex Web UI of a system for which they are not authorized.
Products affected by CVE-2018-15382
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\(1a\):*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-15382
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-15382
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
8.6
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
3.9
|
4.7
|
NIST |
CWE ids for CVE-2018-15382
-
The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2018-15382
-
http://www.securityfocus.com/bid/105518
Cisco HyperFlex Static Signing Key CVE-2018-15382 Authorization Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-hyperflex-secret
Cisco HyperFlex Software Static Signing Key VulnerabilityVendor Advisory
Jump to