SB2017120111 - Information disclosure in Cisco Secure Access Control System
Published: December 1, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Information disclosure (CVE-ID: CVE-2017-12354)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists in the web-based interface of Cisco Secure Access Control System (ACS) due to insufficient protection of system software version information when the software responds to HTTP requests that are sent to the web-based interface of the software. A remote attacker can send specially crafted HTTP requests to the web-based interface and gain access to potentially sensitive information that can be used to conduct additional reconnaissance attacks.
Remediation
Install update from vendor's website.