Vulnerability Name:

CVE-2014-0657 (CCN-90120)

Assigned:2014-01-07
Published:2014-01-07
Updated:2017-08-29
Summary:The administration portal in Cisco Unified Communications Manager (Unified CM) 9.1(1) and earlier does not properly handle role restrictions, which allows remote authenticated users to bypass role-based access control via multiple visits to a forbidden portal URL, aka Bug ID CSCuj83540.
CVSS v3 Severity:3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2014-0657

Source: OSVDB
Type: UNKNOWN
101800

Source: CCN
Type: SA56368
Cisco Unified Communications Manager Administration Portal Access Bypass Vulnerability

Source: SECUNIA
Type: UNKNOWN
56368

Source: CCN
Type: Cisco Security Notice
Cisco Unified Communications Manager Role Bypass Vulnerability

Source: CISCO
Type: Vendor Advisory
20140107 Cisco Unified Communications Manager Role Bypass Vulnerability

Source: CONFIRM
Type: Vendor Advisory
http://tools.cisco.com/security/center/viewAlert.x?alertId=32341

Source: BID
Type: Third Party Advisory, VDB Entry
64690

Source: CCN
Type: BID-64690
Cisco Unified Communications Manager Unauthorized Access Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1029571

Source: XF
Type: UNKNOWN
cisco-ucm-cve20140657-sec-bypass(90120)

Source: XF
Type: UNKNOWN
cisco-ucm-cve20140657-sec-bypass(90120)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cisco:unified_communications_manager:3.3(5):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:3.3(5)sr1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:3.3(5)sr2a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.1(3):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr4:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.2.3sr1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.2.3sr2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.2.3sr2b:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:4.3(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(1b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(1c):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(2):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(2a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(2b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(3):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(3a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(3c):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(3d):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1(3e):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:5.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.0(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.0(1a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.0(1b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(1a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(1b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(2):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(2)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(2)su1a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(3):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(3a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(3b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(3b)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(4):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(4)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(4a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(4a)su2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(5):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(5)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(5)su2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:6.1(5)su3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.0(1)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.0(1)su1a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.0(2):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.0(2a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.0(2a)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.0(2a)su2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(2a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(2a)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(2b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(2b)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(3):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(3a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(3a)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(3a)su1a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(3b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(3b)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(3b)su2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5)su1a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5b)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5b)su1a:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5b)su2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5b)su3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5b)su4:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5b)su5:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:7.1(5b)su6:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(2):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(2a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(2b):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(2c):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(2c)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(3):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(3a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(3a)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(3a)su2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.0(3a)su3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.5(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.5(1)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.5(1)su2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.5(1)su3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.5(1)su4:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.5(1)su5:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(1a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(2):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(2a):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(2a)su1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(2a)su2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(2a)su3:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(3):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:8.6(4):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:9.0(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:*:*:*:* (Version <= 9.1(1))

    • Configuration CCN 1:
  • cpe:/a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco unified communications manager 3.3(5)
    cisco unified communications manager 3.3(5)sr1
    cisco unified communications manager 3.3(5)sr2a
    cisco unified communications manager 4.1(3)
    cisco unified communications manager 4.1(3)sr1
    cisco unified communications manager 4.1(3)sr2
    cisco unified communications manager 4.1(3)sr3
    cisco unified communications manager 4.1(3)sr4
    cisco unified communications manager 4.2
    cisco unified communications manager 4.2.1
    cisco unified communications manager 4.2.2
    cisco unified communications manager 4.2.3
    cisco unified communications manager 4.2.3sr1
    cisco unified communications manager 4.2.3sr2
    cisco unified communications manager 4.2.3sr2b
    cisco unified communications manager 4.3
    cisco unified communications manager 4.3(1)
    cisco unified communications manager 5.0
    cisco unified communications manager 5.1
    cisco unified communications manager 5.1(1)
    cisco unified communications manager 5.1(1b)
    cisco unified communications manager 5.1(1c)
    cisco unified communications manager 5.1(2)
    cisco unified communications manager 5.1(2a)
    cisco unified communications manager 5.1(2b)
    cisco unified communications manager 5.1(3)
    cisco unified communications manager 5.1(3a)
    cisco unified communications manager 5.1(3c)
    cisco unified communications manager 5.1(3d)
    cisco unified communications manager 5.1(3e)
    cisco unified communications manager 5.1.2
    cisco unified communications manager 6.0
    cisco unified communications manager 6.0(1)
    cisco unified communications manager 6.0(1a)
    cisco unified communications manager 6.0(1b)
    cisco unified communications manager 6.1(1)
    cisco unified communications manager 6.1(1a)
    cisco unified communications manager 6.1(1b)
    cisco unified communications manager 6.1(2)
    cisco unified communications manager 6.1(2)su1
    cisco unified communications manager 6.1(2)su1a
    cisco unified communications manager 6.1(3)
    cisco unified communications manager 6.1(3a)
    cisco unified communications manager 6.1(3b)
    cisco unified communications manager 6.1(3b)su1
    cisco unified communications manager 6.1(4)
    cisco unified communications manager 6.1(4)su1
    cisco unified communications manager 6.1(4a)
    cisco unified communications manager 6.1(4a)su2
    cisco unified communications manager 6.1(5)
    cisco unified communications manager 6.1(5)su1
    cisco unified communications manager 6.1(5)su2
    cisco unified communications manager 6.1(5)su3
    cisco unified communications manager 7.0(1)su1
    cisco unified communications manager 7.0(1)su1a
    cisco unified communications manager 7.0(2)
    cisco unified communications manager 7.0(2a)
    cisco unified communications manager 7.0(2a)su1
    cisco unified communications manager 7.0(2a)su2
    cisco unified communications manager 7.1(2a)
    cisco unified communications manager 7.1(2a)su1
    cisco unified communications manager 7.1(2b)
    cisco unified communications manager 7.1(2b)su1
    cisco unified communications manager 7.1(3)
    cisco unified communications manager 7.1(3a)
    cisco unified communications manager 7.1(3a)su1
    cisco unified communications manager 7.1(3a)su1a
    cisco unified communications manager 7.1(3b)
    cisco unified communications manager 7.1(3b)su1
    cisco unified communications manager 7.1(3b)su2
    cisco unified communications manager 7.1(5)
    cisco unified communications manager 7.1(5)su1
    cisco unified communications manager 7.1(5)su1a
    cisco unified communications manager 7.1(5a)
    cisco unified communications manager 7.1(5b)
    cisco unified communications manager 7.1(5b)su1
    cisco unified communications manager 7.1(5b)su1a
    cisco unified communications manager 7.1(5b)su2
    cisco unified communications manager 7.1(5b)su3
    cisco unified communications manager 7.1(5b)su4
    cisco unified communications manager 7.1(5b)su5
    cisco unified communications manager 7.1(5b)su6
    cisco unified communications manager 8.0
    cisco unified communications manager 8.0(1)
    cisco unified communications manager 8.0(2)
    cisco unified communications manager 8.0(2a)
    cisco unified communications manager 8.0(2b)
    cisco unified communications manager 8.0(2c)
    cisco unified communications manager 8.0(2c)su1
    cisco unified communications manager 8.0(3)
    cisco unified communications manager 8.0(3a)
    cisco unified communications manager 8.0(3a)su1
    cisco unified communications manager 8.0(3a)su2
    cisco unified communications manager 8.0(3a)su3
    cisco unified communications manager 8.5
    cisco unified communications manager 8.5(1)
    cisco unified communications manager 8.5(1)su1
    cisco unified communications manager 8.5(1)su2
    cisco unified communications manager 8.5(1)su3
    cisco unified communications manager 8.5(1)su4
    cisco unified communications manager 8.5(1)su5
    cisco unified communications manager 8.6
    cisco unified communications manager 8.6(1)
    cisco unified communications manager 8.6(1a)
    cisco unified communications manager 8.6(2)
    cisco unified communications manager 8.6(2a)
    cisco unified communications manager 8.6(2a)su1
    cisco unified communications manager 8.6(2a)su2
    cisco unified communications manager 8.6(2a)su3
    cisco unified communications manager 8.6(3)
    cisco unified communications manager 8.6(4)
    cisco unified communications manager 9.0(1)
    cisco unified communications manager *
    cisco unified communications manager *