CVE-2017-6722 - OpenCVE

A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legitimate user, aka a Clear Text Authentication Vulnerability. More Information: CSCuw86638. Known Affected Releases: 10.6(1). Known Fixed Releases: 11.5(1.10000.61).

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cisco	Unified Contact Center Express

Configuration 1 [-]

OR	cpe:2.3:a:cisco:unified_contact_center_express:11.5\(1\):::::::*
	cpe:2.3:a:cisco:unified_contact_center_express:11.5.1es01:::::::*
	cpe:2.3:a:cisco:unified_contact_center_express:11.5.1su1:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/99201	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038749	Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-ucce	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cisco

Published: 2017-07-04T00:00:00

Updated: 2017-07-06T09:57:01

Reserved: 2017-03-09T00:00:00

Link: CVE-2017-6722

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-07-04T00:29:00.697

Modified: 2017-07-07T14:58:36.460

Link: CVE-2017-6722

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "Cisco Unified Contact Center Express", "vendor": "n/a", "versions": [{"status": "affected", "version": "Cisco Unified Contact Center Express"}]}], "datePublic": "2017-07-03T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legitimate user, aka a Clear Text Authentication Vulnerability. More Information: CSCuw86638. Known Affected Releases: 10.6(1). Known Fixed Releases: 11.5(1.10000.61)."}], "problemTypes": [{"descriptions": [{"description": "Clear Text Authentication Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-06T09:57:01", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "99201", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99201"}, {"name": "1038749", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038749"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-ucce"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "ID": "CVE-2017-6722", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Unified Contact Center Express", "version": {"version_data": [{"version_value": "Cisco Unified Contact Center Express"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legitimate user, aka a Clear Text Authentication Vulnerability. More Information: CSCuw86638. Known Affected Releases: 10.6(1). Known Fixed Releases: 11.5(1.10000.61)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Clear Text Authentication Vulnerability"}]}]}, "references": {"reference_data": [{"name": "99201", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99201"}, {"name": "1038749", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038749"}, {"name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-ucce", "refsource": "CONFIRM", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-ucce"}]}}}}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2017-6722", "datePublished": "2017-07-04T00:00:00", "dateReserved": "2017-03-09T00:00:00", "dateUpdated": "2017-07-06T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:unified_contact_center_express:11.5\\(1\\):*:*:*:*:*:*:*", "matchCriteriaId": "68236DFF-B60E-4209-B9B4-AC75D393A243", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:unified_contact_center_express:11.5.1es01:*:*:*:*:*:*:*", "matchCriteriaId": "F2CEEC1B-272D-4C36-86C4-93B0D67C5038", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:unified_contact_center_express:11.5.1su1:*:*:*:*:*:*:*", "matchCriteriaId": "F24BD150-99E4-4EE2-81E0-D9589F6D825E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legitimate user, aka a Clear Text Authentication Vulnerability. More Information: CSCuw86638. Known Affected Releases: 10.6(1). Known Fixed Releases: 11.5(1.10000.61)."}, {"lang": "es", "value": "Una vulnerabilidad en el servicio Extensible Messaging and Presence Protocol (XMPP) de Unified Contact Center Express (UCCx) de Cisco, podr\u00eda permitir a un atacante remoto no identificado hacerse pasar por un usuario leg\u00edtimo, tambi\u00e9n se conoce como una Vulnerabilidad de Autenticaci\u00f3n de Texto Sin Cifrar. M\u00e1s informaci\u00f3n: CSCuw86638. Versiones Afectadas Conocidas: 10.6(1). Versiones Fijas Conocidas: 11.5(1.10000.61)."}], "id": "CVE-2017-6722", "lastModified": "2017-07-07T14:58:36.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-07-04T00:29:00.697", "references": [{"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99201"}, {"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1038749"}, {"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-ucce"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}