Information disclosure in Cisco Secure Access Control System (ACS) - CVE-2017-12354
Published: November 29, 2017 / Updated: December 1, 2017
Vulnerability identifier: #VU9510
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12354
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Secure Access Control System (ACS)
Cisco Secure Access Control System (ACS)
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists in the web-based interface of Cisco Secure Access Control System (ACS) due to insufficient protection of system software version information when the software responds to HTTP requests that are sent to the web-based interface of the software. A remote attacker can send specially crafted HTTP requests to the web-based interface and gain access to potentially sensitive information that can be used to conduct additional reconnaissance attacks.
How to mitigate CVE-2017-12354
Install update from vendor's website.