Information disclosure in Cisco Ultra Services Framework - CVE-2017-6709
Published: July 6, 2017
Vulnerability identifier: #VU7342
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6709
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Ultra Services Framework
Cisco Ultra Services Framework
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The vulnerability exists in the AutoVNF tool for the Cisco Ultra Services Framework due to logging of administrative credentials for Cisco ESC and Cisco OpenStack deployment purposes in clear text. A remote attacker can access the AutoVNF URL for the location where the log files are stored and subsequently access the administrative credential.
Successful exploitation of the vulnerability may result in information disclosure.
The vulnerability exists in the AutoVNF tool for the Cisco Ultra Services Framework due to logging of administrative credentials for Cisco ESC and Cisco OpenStack deployment purposes in clear text. A remote attacker can access the AutoVNF URL for the location where the log files are stored and subsequently access the administrative credential.
Successful exploitation of the vulnerability may result in information disclosure.
How to mitigate CVE-2017-6709
The vulnerability is addressed in the following versions:
5.0.3, 5.1.
5.0.3, 5.1.