CVE-2018-15465
Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.
Una vulnerabilidad en el subsistema de autorización de Cisco Adaptive Security Appliance (ASA) Software podría permitir que un atacante remoto autenticado, pero sin privilegios (niveles 0 y 1), realice acciones privilegiadas mediante el uso de la interfaz de gestión web. La vulnerabilidad se debe a la validación incorrecta de los privilegios del usuario al emplear la interfaz de gestión web. Un atacante podría explotar esta vulnerabilidad enviando peticiones HTTP específicas mediante HTTPS al dispositivo afectado como usuario sin privilegios. Su explotación podría permitir que el atacante recupere archivos (incluyendo la configuración en ejecución) del dispositivo o suba y reemplace imágenes del software en el dispositivo.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-08-17 CVE Reserved
- 2018-12-24 CVE Published
- 2024-05-11 EPSS Updated
- 2024-09-17 CVE Updated
- 2024-09-17 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-285: Improper Authorization
- CWE-863: Incorrect Authorization
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/106256 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://www.tenable.com/security/research/tra-2018-46 | 2024-09-17 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cisco Search vendor "Cisco" | Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software" | < 9.4.4.29 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " < 9.4.4.29" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software" | >= 9.5 < 9.6.4.20 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.5 < 9.6.4.20" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software" | >= 9.7 < 9.8.3.18 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.7 < 9.8.3.18" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software" | >= 9.9 < 9.9.2.36 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.9 < 9.9.2.36" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Adaptive Security Appliance Software Search vendor "Cisco" for product "Adaptive Security Appliance Software" | >= 9.10 < 9.10.1.7 Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.10 < 9.10.1.7" | - |
Affected
| ||||||