CVE-2018-15382
moderate-risk
Published 2018-10-05
A vulnerability in Cisco HyperFlex Software could allow an unauthenticated, remote attacker to generate valid, signed session tokens. The vulnerability is due to a static signing key that is present in all Cisco HyperFlex systems. An attacker could exploit this vulnerability by accessing the static signing key from one HyperFlex system and using it to generate valid, signed session tokens for another HyperFlex system. A successful exploit could allow the attacker to access the HyperFlex Web UI of a system for which they are not authorized.
Do I need to act?
-
0.68% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.6/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (4)
Third Party Advisory
http://www.securityfocus.com/bid/105518
Third Party Advisory
http://www.securityfocus.com/bid/105518
36
/ 100
moderate-risk
Severity
29/34 · Critical
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal