CVE-2018-0096

{"id": "CVE-2018-0096", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.7}]}, "published": "2018-01-18T06:29:00.817", "references": [{"url": "http://www.securityfocus.com/bid/102727", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "http://www.securitytracker.com/id/1040242", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-cpi", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to perform a privilege escalation in which one virtual domain user can view and modify another virtual domain configuration. The vulnerability is due to a failure to properly enforce RBAC for virtual domains. An attacker could exploit this vulnerability by sending an authenticated, crafted HTTP request to a targeted application. An exploit could allow the attacker to bypass RBAC policies on the targeted system to modify a virtual domain and access resources that are not normally accessible. Cisco Bug IDs: CSCvg36875."}, {"lang": "es", "value": "Una vulnerabilidad en la funcionalidad RBAC (control de acceso basado en roles) de Cisco Prime Infrastructure podr\u00eda permitir que un atacante remoto autenticado realice un escalado de privilegios en el que un usuario de un dominio virtual puede visualizar y modificar la configuraci\u00f3n de otro dominio virtual. La vulnerabilidad se debe a no poder cumplir correctamente el RBAC para los dominios virtuales. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n HTTP manipulada a una aplicaci\u00f3n objetivo. Su explotaci\u00f3n podr\u00eda permitir que un atacante omita las pol\u00edticas RBAC en el sistema objetivo para modificar un dominio virtual y acceder a recursos que no son normalmente accesibles. Cisco Bug IDs: CSCvg36875."}], "lastModified": "2019-10-09T23:31:13.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:prime_infrastructure:3.2\\(0.0\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "146E4ECF-B903-488C-8644-932FC57F072C"}, {"criteria": "cpe:2.3:a:cisco:prime_infrastructure:3.3\\(0.0\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A67FAFC9-7F4B-4CB5-AF27-74E20DD21B2D"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}