CVE-2018-1154

In SecurityCenter versions prior to 5.7.0, a username enumeration issue could allow an unauthenticated attacker to automate the discovery of username aliases via brute force, ultimately facilitating unauthorized access. Server response output has been unified to correct this issue.

CVSS v3 8.8 HIGH
CVSS v2.0 3.3 LOW

8.8^/10

CVSS v3 : HIGH

Vector : AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

3.3^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 6.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securitytracker.com/id/1041431	Third Party Advisory VDB Entry
https://www.tenable.com/security/tns-2018-11	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tenable:securitycenter:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-08-02 19:29

Updated : 2023-12-10 12:44

NVD link : CVE-2018-1154

Mitre link : CVE-2018-1154

CVE.ORG link : CVE-2018-1154

JSON object : View

Products Affected

tenable

securitycenter

CWE

NVD-CWE-noinfo

{"id": "CVE-2018-1154", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2018-08-02T19:29:00.840", "references": [{"url": "http://www.securitytracker.com/id/1041431", "tags": ["Third Party Advisory", "VDB Entry"], "source": "vulnreport@tenable.com"}, {"url": "https://www.tenable.com/security/tns-2018-11", "tags": ["Patch", "Vendor Advisory"], "source": "vulnreport@tenable.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In SecurityCenter versions prior to 5.7.0, a username enumeration issue could allow an unauthenticated attacker to automate the discovery of username aliases via brute force, ultimately facilitating unauthorized access. Server response output has been unified to correct this issue."}, {"lang": "es", "value": "En SecurityCenter, en versiones anteriores a la 5.7.0, un problema de enumeraci\u00f3n de nombres de usuario puede permitir que un atacante no autenticado automatice el descubrimiento de alias de nombres de usuario mediante fuerza bruta, facilitando en \u00faltima instancia el acceso no autorizado. Se ha unificado la salida de la respuesta del servidor para corregir este problema."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tenable:securitycenter:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "56C3DD11-31E9-4FDA-8EAF-C1D774F7A32F", "versionEndExcluding": "5.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "vulnreport@tenable.com"}