Vulnslist

find the latest Cisco vulnerabilities

Cisco Enterprise Content Delivery System Web Directory Traversal and Arbitrary File Access Vulnerability

Cisco-SA-20141222-CVE-2014-8019 · Medium · Published · Updated

A vulnerability in Cisco Enterprise Content Delivery System (ECDS) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on a targeted system. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending crafted web requests with a directory traversal sequence to the system. An exploit could allow the attacker to access a specific file that is not normally exposed through the web interface. Functional code that exploits this vulnerability is publicly available. Cisco has confirmed the vulnerability but software updates are not available. To exploit the vulnerability, the attacker must send crafted HTTP requests to the affected system. Depending on the network configuration, the attacker would likely need access to trusted, internal networks. This access requirement could limit the likelihood of a successful attack.

Cisco advisory ·CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.

CVEsCVE-2014-8019
Cisco Bug IDsCSCuo90148
CVSS ScoreBase 5.0
Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
Product Names From Source
Cisco Enterprise Content Delivery System (ECDS)

Related Products

Product CVE Evidence