Input validation vulnerability in Cisco Unified Computing System Performance Manager in Cisco Unified Computing System Performance Manager - CVE-2016-1374
Published: July 21, 2016
Vulnerability identifier: #VU185
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red
CVE-ID: CVE-2016-1374
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Unified Computing System Performance Manager
Cisco Unified Computing System Performance Manager
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to insufficient input validation performed on parameters that are passed via an HTTP GET request. A remote authenticated attacker can execute arbitrary commands with the privileges of the root user by sending crafted HTTP GET requests to an affected system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
The vulnerability exists due to insufficient input validation performed on parameters that are passed via an HTTP GET request. A remote authenticated attacker can execute arbitrary commands with the privileges of the root user by sending crafted HTTP GET requests to an affected system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2016-1374
The vendor has issued a fix (Performance Manager 2.0.1).