CVE-2016-9207

A vulnerability in the HTTP traffic server component of Cisco Expressway could allow an unauthenticated, remote attacker to initiate TCP connections to arbitrary hosts. This does not allow for full traffic proxy through the Expressway. Affected Products: This vulnerability affects Cisco Expressway Series Software and Cisco TelePresence Video Communication Server (VCS). More Information: CSCvc10834. Known Affected Releases: X8.7.2 X8.8.3. Known Fixed Releases: X8.9.

CVSS v3 6.5 MEDIUM
CVSS v2.0 6.4 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:P

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/94797	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1037422	Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-expressway	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:expressway:x8.7.2:::::::*
	cpe:2.3:a:cisco:expressway:x8.8.3:::::::*

History

No history.

Information

Published : 2016-12-14 00:59

Updated : 2023-12-10 12:01

NVD link : CVE-2016-9207

Mitre link : CVE-2016-9207

CVE.ORG link : CVE-2016-9207

JSON object : View

Products Affected

cisco

expressway

CWE

CWE-20

Improper Input Validation

CWE-254

7PK - Security Features

{"id": "CVE-2016-9207", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2016-12-14T00:59:28.693", "references": [{"url": "http://www.securityfocus.com/bid/94797", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "http://www.securitytracker.com/id/1037422", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-expressway", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-254"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the HTTP traffic server component of Cisco Expressway could allow an unauthenticated, remote attacker to initiate TCP connections to arbitrary hosts. This does not allow for full traffic proxy through the Expressway. Affected Products: This vulnerability affects Cisco Expressway Series Software and Cisco TelePresence Video Communication Server (VCS). More Information: CSCvc10834. Known Affected Releases: X8.7.2 X8.8.3. Known Fixed Releases: X8.9."}, {"lang": "es", "value": "Una vulnerabilidad en el componente de tr\u00e1fico de servidor HTTP de Cisco Expressway podr\u00eda permitir a un atacante remoto no autenticado iniciar conexiones TCP a anfitriones arbitrarios. Esto no permite un proxy de tr\u00e1fico completo a trav\u00e9s del Expressway. Productos Afectados: Esta vulnerabilidad afecta a Cisco Expressway Series Software y Cisco TelePresence Video Communication Server (VCS). M\u00e1s Informaci\u00f3n: CSCvc10834. Lanzamientos Afectados Conocidos: X8.7.2 X8.8.3. Lanzamientos Reparados Conocidos: X8.9."}], "lastModified": "2016-12-22T21:11:36.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:expressway:x8.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB29BE2C-42EF-416E-B804-40D4153A1D20"}, {"criteria": "cpe:2.3:a:cisco:expressway:x8.8.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEDA594D-13EF-4CF3-AA86-A39E46CCD6F0"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}