Vulnerability-Lookup

CNVD-2015-03842

Vulnerability from cnvd - Published: 2015-06-19

Title

Cisco Virtualization Experience Client输入验证权限提升漏洞

Description

Cisco Virtualization Experience Client是美国思科（Cisco）公司的一款集成虚拟化基础设施的瘦客户端。 Cisco Virtualization Experience Client 6000系列的11.2(27.4)固件版本所包含的管理WEB接口的子系统存在输入验证漏洞，允许攻击者利用漏洞以ROOT权限执行任意代码。

Severity

中

Patch Name

Cisco Virtualization Experience Client输入验证权限提升漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://tools.cisco.com/security/center/viewAlert.x?alertId=39347

Reference

http://tools.cisco.com/security/center/viewAlert.x?alertId=39347

Impacted products

Name
Cisco Virtualization Experience Client 6000 Series Firmware 11.2 (27.4)

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "75195"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-4186"
    }
  },
  "description": "Cisco Virtualization Experience Client\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u96c6\u6210\u865a\u62df\u5316\u57fa\u7840\u8bbe\u65bd\u7684\u7626\u5ba2\u6237\u7aef\u3002\r\n\r\nCisco Virtualization Experience Client 6000\u7cfb\u5217\u768411.2(27.4)\u56fa\u4ef6\u7248\u672c\u6240\u5305\u542b\u7684\u7ba1\u7406WEB\u63a5\u53e3\u7684\u5b50\u7cfb\u7edf\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u4ee5ROOT\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Cisco",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://tools.cisco.com/security/center/viewAlert.x?alertId=39347",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-03842",
  "openTime": "2015-06-19",
  "patchDescription": "Cisco Virtualization Experience Client\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u96c6\u6210\u865a\u62df\u5316\u57fa\u7840\u8bbe\u65bd\u7684\u7626\u5ba2\u6237\u7aef\u3002\r\n\r\nCisco Virtualization Experience Client 6000\u7cfb\u5217\u768411.2(27.4)\u56fa\u4ef6\u7248\u672c\u6240\u5305\u542b\u7684\u7ba1\u7406WEB\u63a5\u53e3\u7684\u5b50\u7cfb\u7edf\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u4ee5ROOT\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Virtualization Experience Client\u8f93\u5165\u9a8c\u8bc1\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Virtualization Experience Client 6000 Series Firmware 11.2 (27.4)"
  },
  "referenceLink": "http://tools.cisco.com/security/center/viewAlert.x?alertId=39347",
  "serverity": "\u4e2d",
  "submitTime": "2015-06-17",
  "title": "Cisco Virtualization Experience Client\u8f93\u5165\u9a8c\u8bc1\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2015-4186 (GCVE-0-2015-4186)

Vulnerability from cvelistv5 – Published: 2015-06-17 10:00 – Updated: 2024-08-06 06:04

Summary

The diagnostics subsystem in the administrative web interface on Cisco Virtualization Experience (aka VXC) Client 6215 devices with firmware 11.2(27.4) allows local users to gain privileges for OS command execution via a crafted option value, aka Bug ID CSCug54412.

Severity ?

No CVSS data available.

CWE

Assigner

cisco

References

URL

Tags

	http://www.securityfocus.com/bid/75195	vdb-entryx_refsource_BID
	http://www.securitytracker.com/id/1032583	vdb-entryx_refsource_SECTRACK
	http://tools.cisco.com/security/center/viewAlert.…	vendor-advisoryx_refsource_CISCO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:04:03.203Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "75195",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/75195"
          },
          {
            "name": "1032583",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1032583"
          },
          {
            "name": "20150615 Cisco Virtualization Experience Client 6215 Devices Command Injection Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=39347"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-06-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The diagnostics subsystem in the administrative web interface on Cisco Virtualization Experience (aka VXC) Client 6215 devices with firmware 11.2(27.4) allows local users to gain privileges for OS command execution via a crafted option value, aka Bug ID CSCug54412."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-05T14:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "75195",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/75195"
        },
        {
          "name": "1032583",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1032583"
        },
        {
          "name": "20150615 Cisco Virtualization Experience Client 6215 Devices Command Injection Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=39347"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2015-4186",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The diagnostics subsystem in the administrative web interface on Cisco Virtualization Experience (aka VXC) Client 6215 devices with firmware 11.2(27.4) allows local users to gain privileges for OS command execution via a crafted option value, aka Bug ID CSCug54412."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "75195",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/75195"
            },
            {
              "name": "1032583",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1032583"
            },
            {
              "name": "20150615 Cisco Virtualization Experience Client 6215 Devices Command Injection Vulnerability",
              "refsource": "CISCO",
              "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=39347"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2015-4186",
    "datePublished": "2015-06-17T10:00:00",
    "dateReserved": "2015-06-04T00:00:00",
    "dateUpdated": "2024-08-06T06:04:03.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-03842

CVE-2015-4186 (GCVE-0-2015-4186)

Tags

Sightings

Nomenclature