CVE-2018-15615 - OpenCVE

A vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Avaya	Call Management System Supervisor

Configuration 1 [-]

OR	cpe:2.3:a:avaya:call_management_system_supervisor:17.0.0:::::::*
	cpe:2.3:a:avaya:call_management_system_supervisor:18.0.1.0:::::::*
	cpe:2.3:a:avaya:call_management_system_supervisor:18.0.2.0:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/105392	Third Party Advisory VDB Entry
https://downloads.avaya.com/css/P8/documents/101052300	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: avaya

Published: 2018-09-24T13:00:00

Updated: 2018-09-26T09:57:01

Reserved: 2018-08-21T00:00:00

Link: CVE-2018-15615

JSON object: View

NVD Information

Status : Modified

Published: 2018-09-24T12:29:00.237

Modified: 2019-10-09T23:35:46.237

Link: CVE-2018-15615

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "Call Management System Supervisor", "vendor": "Avaya", "versions": [{"status": "affected", "version": "Affected verisons include R17.0.x and R18.0.x"}]}], "datePublic": "2018-09-21T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-09-26T09:57:01", "orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://downloads.avaya.com/css/P8/documents/101052300"}, {"name": "105392", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105392"}], "source": {"advisory": "ASA-2018-280"}, "title": "CMS Supervisor Information Disclosure", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "securityalerts@avaya.com", "ID": "CVE-2018-15615", "STATE": "PUBLIC", "TITLE": "CMS Supervisor Information Disclosure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Call Management System Supervisor", "version": {"version_data": [{"version_value": "Affected verisons include R17.0.x and R18.0.x"}]}}]}, "vendor_name": "Avaya"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://downloads.avaya.com/css/P8/documents/101052300", "refsource": "CONFIRM", "url": "https://downloads.avaya.com/css/P8/documents/101052300"}, {"name": "105392", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105392"}]}, "source": {"advisory": "ASA-2018-280"}}}}, "cveMetadata": {"assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "assignerShortName": "avaya", "cveId": "CVE-2018-15615", "datePublished": "2018-09-24T13:00:00", "dateReserved": "2018-08-21T00:00:00", "dateUpdated": "2018-09-26T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:call_management_system_supervisor:17.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5EBA9AE0-BB26-4A4A-975C-F6D7A23B3301", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:call_management_system_supervisor:18.0.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1D82CD8-A47D-44D7-A744-723652A27135", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:call_management_system_supervisor:18.0.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C8EE901F-5E3B-40AA-9DC5-8D53D255FCE7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x."}, {"lang": "es", "value": "Una vulnerabilidad en el componente Supervisor de Avaya Call Management System permite que un usuario local administrador extraiga informaci\u00f3n sensible de usuarios que se conectan a un host CMS remoto. Las versiones afectadas de CMS Supervisor incluyen la R17.0.x y la R18.0.x."}], "id": "CVE-2018-15615", "lastModified": "2019-10-09T23:35:46.237", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.6, "impactScore": 6.0, "source": "securityalerts@avaya.com", "type": "Secondary"}]}, "published": "2018-09-24T12:29:00.237", "references": [{"source": "securityalerts@avaya.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105392"}, {"source": "securityalerts@avaya.com", "tags": ["Vendor Advisory"], "url": "https://downloads.avaya.com/css/P8/documents/101052300"}], "sourceIdentifier": "securityalerts@avaya.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "securityalerts@avaya.com", "type": "Secondary"}]}