Vulnerability Details : CVE-2018-6671
Potential exploit
Application Protection Bypass vulnerability in McAfee ePolicy Orchestrator (ePO) 5.3.0 through 5.3.3 and 5.9.0 through 5.9.1 allows remote authenticated users to bypass localhost only access security protection for some ePO features via a specially crafted HTTP request.
Products affected by CVE-2018-6671
- cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-6671
1.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-6671
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
|
4.7
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
1.6
|
2.7
|
McAfee (DEFUNCT) |
References for CVE-2018-6671
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10240
McAfee Security Bulletin - ePolicy Orchestrator update fixes possible localhost only access bypass and sensitive information leak vulnerability (CVE-2018-6671 and CVE-2018-6672)Vendor Advisory
-
http://www.securitytracker.com/id/1041155
McAfee ePolicy Orchestrator Bugs Let Remote Authenticate Users Obtain Potentially Sensitive Information and Bypass Access Controls - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/104485
McAfee ePolicy Orchestrator Access Bypass and Information Disclosure VulnerabilitiesThird Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/46518/
McAfee ePO 5.9.1 - Registered Executable Local Access BypassExploit;Third Party Advisory;VDB Entry
Jump to