Cisco-SA-20141223-CVE-2014-7993

Cisco Meraki HTTP Handler Local Information Disclosure Vulnerability

Cisco-SA-20141223-CVE-2014-7993 · Medium · Published 11 years ago · Updated 11 years ago

A vulnerability in an HTTP handler in Cisco Meraki firmware occurs because the handler does not require requests to come only from the Meraki cloud. This vulnerability could allow a LAN-based attacker to obtain sensitive credential information. An unauthenticated, remote attacker on an adjacent network could exploit the vulnerability by sending malicious HTTP requests to the unsecured HTTP handler, allowing the attacker to access sensitive information from the affected application. Cisco Meraki has confirmed the vulnerability and released software updates. Attackers must have access to networks adjacent to the targeted system to conduct an exploit, reducing the potential for attacks. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory ·CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to monitor affected systems.

CVEs	CVE-2014-7993
Cisco Bug IDs	NA
CVSS Score	Base 6.1 Base 6.1 AV:A/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C
Product Names From Source	Cisco Meraki MS Firmware, Cisco Meraki MR Firmware, Cisco-Meraki MX Firmware, Cisco Meraki MX Firmware

Related Products

Product	CVE	Evidence

Vulnslist

find the latest Cisco vulnerabilities

Cisco Meraki HTTP Handler Local Information Disclosure Vulnerability

Workarounds

Related Products