#VU96801 Information disclosure in Cisco Smart Licensing Utility
Vulnerability identifier: #VU96801
Vulnerability risk: Critical
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco Smart Licensing Utility
Server applications /
Other server solutions
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to excessive data output by the API. A remote attacker can send a specially crafted HTTP request and obtain log files that contain sensitive data, including credentials that can be used to access the API.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Cisco Smart Licensing Utility: 2.0.0 - 2.2.0
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi47950
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
