PT-2015-2589 · Cisco · Cisco Secure Access Control Server

Published

2015-10-30

Updated

2016-12-07

CVE-2015-6347

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Cisco Secure Access Control Server (ACS) version 5.7(0.15)

Description The issue concerns a component of the Cisco Secure Access Control System, specifically the Solution Engine, which has inadequate access restrictions to certain functions. This allows a remote authenticated user to bypass intended Role-Based Access Control (RBAC) restrictions. By visiting a specific web page, an attacker can create a new dashboard or portlet.

Recommendations For Cisco Secure Access Control Server (ACS) version 5.7(0.15), consider restricting access to the Solution Engine component until a patch is available. As a temporary workaround, limit the creation of new dashboards or portlets to authorized personnel only.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

BDU:2015-11954

CVE-2015-6347

Affected Products

Cisco Secure Access Control Server

PT-2015-2589 · Cisco · Cisco Secure Access Control Server

CVE-2015-6347

Weakness Enumeration

Related Identifiers

Affected Products

References · 4