CVE-2015-6435 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cisco	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 91%

Vendor	Product	Version
cisco	firepower_extensible_operating_system	1.1\(1.86\)
cisco	firepower_extensible_operating_system	1.1\(1.160\)
cisco	firepower_extensible_operating_system	1.1.1
cisco	unified_computing_system	1.0\(2k\)
cisco	unified_computing_system	1.0_base:_base
cisco	unified_computing_system	1.1\(1m\)
cisco	unified_computing_system	1.1_base:_base
cisco	unified_computing_system	1.2\(1d\)
cisco	unified_computing_system	1.2_base:_base
cisco	unified_computing_system	1.3\(1c\)
cisco	unified_computing_system	1.3\(1m\)
cisco	unified_computing_system	1.3\(1n\)
cisco	unified_computing_system	1.3\(1o\)
cisco	unified_computing_system	1.3\(1p\)
cisco	unified_computing_system	1.3\(1q\)
cisco	unified_computing_system	1.3\(1t\)
cisco	unified_computing_system	1.3\(1w\)
cisco	unified_computing_system	1.3\(1y\)
cisco	unified_computing_system	1.3_base:_base
cisco	unified_computing_system	1.4\(1i\)
cisco	unified_computing_system	1.4\(1j\)
cisco	unified_computing_system	1.4\(1m\)
cisco	unified_computing_system	1.4\(3i\)
cisco	unified_computing_system	1.4\(3l\)
cisco	unified_computing_system	1.4\(3m\)
cisco	unified_computing_system	1.4\(3q\)
cisco	unified_computing_system	1.4\(3s\)
cisco	unified_computing_system	1.4\(3u\)
cisco	unified_computing_system	1.4\(3y\)
cisco	unified_computing_system	1.4\(4f\)
cisco	unified_computing_system	1.4\(4g\)
cisco	unified_computing_system	1.4\(4i\)
cisco	unified_computing_system	1.4\(4j\)
cisco	unified_computing_system	1.4\(4k\)
cisco	unified_computing_system	1.4_base:_base
cisco	unified_computing_system	2.0\(1m\)
cisco	unified_computing_system	2.0\(1q\)
cisco	unified_computing_system	2.0\(1s\)
cisco	unified_computing_system	2.0\(1t\)
cisco	unified_computing_system	2.0\(1w\)
cisco	unified_computing_system	2.0\(1x\)
cisco	unified_computing_system	2.0\(2m\)
cisco	unified_computing_system	2.0\(2q\)
cisco	unified_computing_system	2.0\(2r\)
cisco	unified_computing_system	2.0\(3a\)
cisco	unified_computing_system	2.0\(3b\)
cisco	unified_computing_system	2.0\(3c\)
cisco	unified_computing_system	2.0\(4a\)
cisco	unified_computing_system	2.0\(4b\)
cisco	unified_computing_system	2.0\(4d\)
cisco	unified_computing_system	2.0\(5a\)
cisco	unified_computing_system	2.0\(5b\)
cisco	unified_computing_system	2.0\(5c\)
cisco	unified_computing_system	2.0_base:_base
cisco	unified_computing_system	2.1\(1a\)
cisco	unified_computing_system	2.1\(1b\)
cisco	unified_computing_system	2.1\(1d\)
cisco	unified_computing_system	2.1\(1e\)
cisco	unified_computing_system	2.1\(1f\)
cisco	unified_computing_system	2.1\(2a\)
cisco	unified_computing_system	2.1_base:_base
cisco	unified_computing_system	2.2\(1b\)
cisco	unified_computing_system	2.2\(1c\)
cisco	unified_computing_system	2.2\(1d\)
cisco	unified_computing_system	2.2\(1e\)
cisco	unified_computing_system	2.2\(1f\)
cisco	unified_computing_system	2.2\(1g\)
cisco	unified_computing_system	2.2\(1h\)
cisco	unified_computing_system	2.2\(2c\)
cisco	unified_computing_system	2.2\(2c\)a
cisco	unified_computing_system	2.2\(3a\)
cisco	unified_computing_system	2.2\(3b\)
cisco	unified_computing_system	2.2\(3c\)
cisco	unified_computing_system	2.2\(3d\)
cisco	unified_computing_system	2.2\(3e\)
cisco	unified_computing_system	2.2\(3f\)
cisco	unified_computing_system	2.2\(3g\)
cisco	unified_computing_system	2.2\(4b\)
cisco	unified_computing_system	2.2\(4c\)
cisco	unified_computing_system	2.2\(5a\)
cisco	unified_computing_system	2.2_base:_base
cisco	unified_computing_system	3.0\(1c\)
cisco	unified_computing_system	3.0\(1d\)
cisco	unified_computing_system	3.0\(1e\)
cisco	unified_computing_system	3.0\(2c\)
cisco	unified_computing_system	3.0\(2d\)

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

http://packetstormsecurity.com/files/160991/Cisco-UCS-Manager-2.2-1d-Remote-Command-Execution.html

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160120-ucsm

http://www.securitytracker.com/id/1034743

http://packetstormsecurity.com/files/160991/Cisco-UCS-Manager-2.2-1d-Remote-Command-Execution.html

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160120-ucsm

http://www.securitytracker.com/id/1034743