Vulnerability CVE-2008-6710 - CERT Civis.Net

Vulnerability Name:

CVE-2008-6710 (CCN-43386)

Assigned:

2008-06-25

Published:

2008-06-25

Updated:

2017-08-17

Summary:

Unspecified vulnerability in the Web administration interface in Avaya Communication Manager 3.1.x before CM 3.1.4 SP2 and 4.0.x before 4.0.3 SP1 allows remote authenticated administrators to gain root privileges via unknown vectors related to "configuring data viewing or restoring credentials."

CVSS v3 Severity:

9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
7.3 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
7.3 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2008-6710

Source: CCN
Type: SA30799
Avaya Communication Manager Input Validation Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
30799

Source: CONFIRM
Type: Vendor Advisory
http://support.avaya.com/elmodocs2/security/ASA-2008-270.htm

Source: CCN
Type: ASA-2008-270
Additional Input Validation Vulnerabilities in Avaya Communication Manager Web Interface

Source: CCN
Type: Avaya Web site
Telecommunication Systems by Avaya: Business Telecommunications for your Company

Source: OSVDB
Type: UNKNOWN
46582

Source: CCN
Type: OSVDB ID: 46582
Avaya Communication Manager Web Interface Data Viewing Configuration Unspecified Arbitrary Code Execution

Source: BID
Type: UNKNOWN
29939

Source: CCN
Type: BID-29939
Avaya Communication Manager Multiple Security Vulnerabilities

Source: CCN
Type: VoIP Security Advisory, 2008-06-25
Communication Manager View/Restore Data Credential Privilege Elevation

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=79

Source: VUPEN
Type: UNKNOWN
ADV-2008-1944

Source: XF
Type: UNKNOWN
avaya-cm-interface-code-execution(43386)

Source: XF
Type: UNKNOWN
avaya-cm-interface-code-execution(43386)

Vulnerable Configuration:

Configuration 1:

cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.1:sp15215:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.1:sp15500:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.2:sp1:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:communication_manager:4.0:*:*:*:*:*:*:*

Denotes that component is vulnerable