製品・ソフトウェアに関する情報

JVN脆弱性詳細

Cisco Unified Customer Voice Portal における認可・権限・アクセス制御に関する脆弱性

Title	Cisco Unified Customer Voice Portal における認可・権限・アクセス制御に関する脆弱性
Summary	Cisco Unified Customer Voice Portal (CVP) には、認可・権限・アクセス制御に関する脆弱性が存在します。ベンダは、本脆弱性を Bug ID CSCve92752 として公開しています。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 20, 2017, midnight
Registration Date	Oct. 18, 2017, 1:07 p.m.
Last Update	Oct. 18, 2017, 1:07 p.m.

Affected System

シスコシステムズ

Cisco Unified Customer Voice Portal 10.5

Cisco Unified Customer Voice Portal 11.0

Cisco Unified Customer Voice Portal 11.5

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-12214	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12214
National Vulnerability Database (NVD)
2	CVE-2017-12214	https://nvd.nist.gov/vuln/detail/CVE-2017-12214

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Cisco Security Advisory
1	cisco-sa-20170920-cvp	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-cvp

Change Log

No	Changed Details	Date of change
0	[2017年10月18日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-12214

Summary	A vulnerability in the Operations, Administration, Maintenance, and Provisioning (OAMP) credential reset functionality for Cisco Unified Customer Voice Portal (CVP) could allow an authenticated, remote attacker to gain elevated privileges. The vulnerability is due to a lack of proper input validation. An attacker could exploit this vulnerability by authenticating to the OAMP and sending a crafted HTTP request. A successful exploit could allow the attacker to gain administrator privileges. The attacker must successfully authenticate to the system to exploit this vulnerability. This vulnerability affects Cisco Unified Customer Voice Portal (CVP) running software release 10.5, 11.0, or 11.5. Cisco Bug IDs: CSCve92752.
Publication Date	Sept. 21, 2017, 2:29 p.m.
Registration Date	Jan. 26, 2021, 1:13 p.m.
Last Update	Nov. 21, 2024, 12:09 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:cisco:unified_customer_voice_portal:11.0:::::::*
cpe:2.3:a:cisco:unified_customer_voice_portal:11.5:::::::*
cpe:2.3:a:cisco:unified_customer_voice_portal:10.5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/100931	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/100931	Third Party Advisory VDB Entry
3	http://www.securitytracker.com/id/1039411	Third Party Advisory VDB Entry
4	http://www.securitytracker.com/id/1039411	Third Party Advisory VDB Entry
5	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-cvp	Vendor Advisory
6	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-cvp	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html