Vulnerabilities > CVE-2013-3455 - Credentials Management vulnerability in Cisco Finesse

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(130060);
  script_version("1.3");
  script_cvs_date("Date: 2019/10/31 15:18:51");

  script_cve_id("CVE-2013-3455");
  script_xref(name:"CISCO-BUG-ID", value:"CSCug16732");
  script_xref(name:"CISCO-SA", value:"Cisco-SA-20130812-CVE-2013-3455");

  script_name(english:"Cisco Finesse Appliance User Data Information Disclosure Vulnerability (Cisco-SA-20130812-CVE-2013-3455)");
  script_summary(english:"Checks the Cisco Finesse appliance version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Finesse appliance is affected by an information disclosure
vulnerability in HTTP queries due to insufficient encryption. An unauthenticated, remote attacker can exploit this, via
capturing the HTTP query, to disclose potentially sensitive information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20130812-CVE-2013-3455
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?73d2a99d");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCug16732");
  script_set_attribute(attribute:"solution", value:
"Apply the patch or upgrade to the version recommended in Cisco bug ID CSCug16732");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-3455");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(200);

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/08/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/08/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/21");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:finesse");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_voss_finesse_installed.nbin");
  script_require_keys("installed_sw/Cisco VOSS Finesse", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

app_info = vcf::cisco_finesse::get_app_info(app:'Cisco VOSS Finesse');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

constraints = [
  { 'min_version':'0', 'fixed_version':'10.0.1', 'fixed_display' : 'Refer to Cisco Bug ID: CSCug16732' }
];

vcf::cisco_finesse::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);