Total
19 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-1312 | 1 Cisco | 1 Elastic Services Controller | 2021-01-29 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability in the system resource management of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) to the health monitor API on an affected device. The vulnerability is due to inadequate provisioning of kernel parameters for the maximum number of TCP connections and SYN backlog. An attacker could exploit this vulnerability by sending a flood of crafted TCP packets to an affected device. A successful exploit could allow the attacker to block TCP listening ports that are used by the health monitor API. This vulnerability only affects customers who use the health monitor API. | |||||
CVE-2018-0106 | 1 Cisco | 1 Elastic Services Controller | 2020-09-04 | 2.1 LOW | 3.3 LOW |
A vulnerability in the ConfD server of the Cisco Elastic Services Controller (ESC) could allow an unauthenticated, local attacker to access sensitive information on a targeted system. The vulnerability is due to insufficient security restrictions. An attacker could exploit this vulnerability by accessing unauthorized information within the ConfD directory and file structure. Successful exploitation could allow the attacker to view sensitive information. Cisco Bug IDs: CSCvg00221. | |||||
CVE-2019-1867 | 1 Cisco | 1 Elastic Services Controller | 2019-10-09 | 10.0 HIGH | 10.0 CRITICAL |
A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API. The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system. | |||||
CVE-2018-0121 | 1 Cisco | 2 Elastic Services Controller, Virtual Managed Services | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability in the authentication functionality of the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The vulnerability is due to improper security restrictions that are imposed by the web-based service portal of the affected software. An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal. A successful exploit could allow the attacker to bypass authentication and gain administrator privileges for the web-based service portal of the affected software. This vulnerability affects Cisco Elastic Services Controller Software Release 3.0.0. Cisco Bug IDs: CSCvg29809. | |||||
CVE-2017-6713 | 1 Cisco | 1 Elastic Services Controller | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system. The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI. This vulnerability affects Cisco Elastic Services Controller prior to releases 2.3.1.434 and 2.3.2. Cisco Bug IDs: CSCvc76627. | |||||
CVE-2017-6689 | 1 Cisco | 1 Elastic Services Controller | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user, aka an Insecure Default Administrator Credentials Vulnerability. More Information: CSCvc76661. Known Affected Releases: 2.2(9.76). | |||||
CVE-2017-6693 | 1 Cisco | 1 Elastic Services Controller | 2019-10-02 | 2.1 LOW | 5.5 MEDIUM |
A vulnerability in the ConfD server component of Cisco Elastic Services Controllers could allow an authenticated, local attacker to access information stored in the file system of an affected system, aka Unauthorized Directory Access. More Information: CSCvd76286. Known Affected Releases: 2.2(9.76) 2.3(1). | |||||
CVE-2017-6688 | 1 Cisco | 1 Elastic Services Controller | 2019-10-02 | 9.0 HIGH | 8.8 HIGH |
A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user, aka an Insecure Default Password Vulnerability. More Information: CSCvc76631. Known Affected Releases: 2.2(9.76). | |||||
CVE-2017-6684 | 1 Cisco | 1 Elastic Services Controller | 2019-10-02 | 9.0 HIGH | 8.8 HIGH |
A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user, aka an Insecure Default Credentials Vulnerability. More Information: CSCvc76651. Known Affected Releases: 21.0.0. | |||||
CVE-2017-6776 | 1 Cisco | 1 Elastic Services Controller | 2017-08-25 | 4.3 MEDIUM | 6.1 MEDIUM |
A vulnerability in the web framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvd76324. Known Affected Releases: 2.2(9.76) and 2.3(1). | |||||
CVE-2017-6786 | 1 Cisco | 1 Elastic Services Controller | 2017-08-24 | 4.6 MEDIUM | 6.3 MEDIUM |
A vulnerability in Cisco Elastic Services Controller could allow an authenticated, local, unprivileged attacker to access sensitive information, including credentials for system accounts, on an affected system. The vulnerability is due to improper protection of sensitive log files. An attacker could exploit this vulnerability by logging in to an affected system and accessing unprotected log files. A successful exploit could allow the attacker to access sensitive log files, which may include system credentials, on the affected system. Cisco Bug IDs: CSCvc76616. Known Affected Releases: 2.2(9.76). | |||||
CVE-2017-6777 | 1 Cisco | 1 Elastic Services Controller | 2017-08-22 | 4.0 MEDIUM | 4.9 MEDIUM |
A vulnerability in the ConfD server of the Cisco Elastic Services Controller (ESC) could allow an authenticated, remote attacker to acquire sensitive system information. The vulnerability is due to insufficient protection of sensitive files on the system. An attacker could exploit this vulnerability by logging into the ConfD server and executing certain commands. An exploit could allow an unprivileged user to view configuration parameters that can be maliciously used. Cisco Bug IDs: CSCvd76409. Known Affected Releases: 2.3, 2.3(2). | |||||
CVE-2017-6772 | 1 Cisco | 1 Elastic Services Controller | 2017-08-22 | 4.0 MEDIUM | 4.3 MEDIUM |
A vulnerability in Cisco Elastic Services Controller (ESC) could allow an authenticated, remote attacker to view sensitive information. The vulnerability is due to insufficient protection of sensitive data. An attacker could exploit this vulnerability by authenticating to the application and navigating to certain configuration files. An exploit could allow the attacker to view sensitive system configuration files. Cisco Bug IDs: CSCvd29408. Known Affected Releases: 2.3(2). | |||||
CVE-2017-6712 | 1 Cisco | 1 Elastic Services Controller | 2017-07-07 | 9.0 HIGH | 8.8 HIGH |
A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server. The vulnerability occurs because a "tomcat" user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. This vulnerability affects Cisco Elastic Services Controller prior to releases 2.3.1.434 and 2.3.2. Cisco Bug IDs: CSCvc76634. | |||||
CVE-2017-6683 | 1 Cisco | 1 Elastic Services Controller | 2017-06-23 | 9.0 HIGH | 8.8 HIGH |
A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system, aka an Authentication Request Processing Arbitrary Command Execution Vulnerability. More Information: CSCvc76642. Known Affected Releases: 2.2(9.76). | |||||
CVE-2017-6682 | 1 Cisco | 1 Elastic Services Controller | 2017-06-23 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. More Information: CSCvc76620. Known Affected Releases: 2.2(9.76). | |||||
CVE-2017-6697 | 1 Cisco | 1 Elastic Services Controller | 2017-06-20 | 4.0 MEDIUM | 6.5 MEDIUM |
A vulnerability in the web interface of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive system credentials that are stored in an affected system. More Information: CSCvd76339. Known Affected Releases: 2.2(9.76). | |||||
CVE-2017-6696 | 1 Cisco | 1 Elastic Services Controller | 2017-06-20 | 2.1 LOW | 5.5 MEDIUM |
A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive user credentials that are stored in an affected system. More Information: CSCvd73677. Known Affected Releases: 2.3(2). | |||||
CVE-2017-6691 | 1 Cisco | 1 Elastic Services Controller | 2017-06-20 | 4.0 MEDIUM | 6.5 MEDIUM |
A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive information on an affected system. More Information: CSCvd29403. Known Affected Releases: 2.3(2). |