Cisco Finesse Appliance HTTP Request Processing Server-Side Request Forgery Vulnerability (cisco-sa-20160504-finesse)

high Nessus Plugin ID 130066

Synopsis

The remote host is missing a vendor-supplied security patch.

Description

According to its self-reported version, the Cisco Finesse appliance is affected by a server-side request forgery (SSRF) in application programming interface (API) for gadgets integration due to insufficient access controls. An unauthenticated, remote attacker can exploit this, via crafted HTTP request, to perform an HTTP request to an arbitrary host.

Solution

Apply the patch or upgrade to the version recommended in Cisco bug ID CSCuw86623

See Also

http://www.nessus.org/u?c6f31a9e

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw86623

Plugin Details

Severity: High

ID: 130066

File Name: cisco-sa-20160504-finesse.nasl

Version: 1.2

Type: local

Family: CISCO

Published: 10/21/2019

Updated: 10/30/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2016-1373

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:finesse

Required KB Items: installed_sw/Cisco VOSS Finesse

Exploit Ease: No known exploits are available

Patch Publication Date: 5/4/2016

Vulnerability Publication Date: 5/4/2016

Reference Information

CVE: CVE-2016-1373

CWE: 20

CISCO-SA: cisco-sa-20160504-finesse

CISCO-BUG-ID: CSCuw86623