A vulnerability classified as critical was found in Cisco UCS Central Software 1.3(0.99) (Virtualization Software). Affected by this vulnerability is an unknown code of the component Web Framework. The manipulation with an unknown input leads to a input validation vulnerability (File). The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. As an impact it is known to affect confidentiality. The summary by CVE is:

The web framework in Cisco UCS Central Software 1.3(0.99) allows remote attackers to read arbitrary files via a crafted HTTP request, aka Bug ID CSCuu41377.

The weakness was presented 07/29/2015 as CSCuu41377 as not defined advisory (Website). It is possible to read the advisory at securitytracker.com. This vulnerability is known as CVE-2015-4286 since 06/04/2015. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/07/2022).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

See VDB-121937, VDB-124820, VDB-124821 and VDB-124862 for similar entries.

Productinfo

Type

• Virtualization Software

Vendor

• Cisco

Name

• UCS Central Software

Version

• 1.3(0.99)

License

• commercial

Support

• end of life (old version)

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion