CVE-2016-1374
high
CVSS v3
8.8
CVSS v2
9.0
VIR risk
8.8
Description
The web framework in Cisco Unified Computing System (UCS) Performance Manager 2.0.0 and earlier allows remote authenticated users to execute arbitrary commands via crafted parameters in a GET request, aka Bug ID CSCuy07827.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@cisco.com — http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160720-ucsperf
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cisco | unified_computing_system_performance_manager | 1.0_base | |
| cisco | unified_computing_system_performance_manager | 1.1.0 | |
| cisco | unified_computing_system_performance_manager | 1.1.1 | |
| cisco | unified_computing_system_performance_manager | 2.0.0 | |
References
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160720-ucsperf
- http://www.securityfocus.com/bid/92044
- http://www.securitytracker.com/id/1036410
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160720-ucsperf
- http://www.securityfocus.com/bid/92044
- http://www.securitytracker.com/id/1036410
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.