PT-2017-17267 · Cisco+1 · Cisco Elastic Services Controller+1

Published

2017-07-06

Updated

2019-10-09

CVE-2017-6713

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cisco Elastic Services Controller versions prior to 2.3.1.434 and 2.3.2

Description A vulnerability in the Play Framework of Cisco Elastic Services Controller could allow an unauthenticated, remote attacker to gain full access to the affected system. This is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI.

Recommendations For versions prior to 2.3.1.434, update to release 2.3.1.434 or later. For versions prior to 2.3.2, update to release 2.3.2 or later.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-264

Related Identifiers

CVE-2017-6713

Affected Products

Cisco Elastic Services Controller

Play Framework

PT-2017-17267 · Cisco+1 · Cisco Elastic Services Controller+1

CVE-2017-6713

Weakness Enumeration

Related Identifiers

Affected Products

References · 4