CVE-2017-6713
CRITICALCisco Elastic Services Controller - Unauthenticated Remote Access via Default Credentials
Title source: llmDescription
A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system. The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI. This vulnerability affects Cisco Elastic Services Controller prior to releases 2.3.1.434 and 2.3.2. Cisco Bug IDs: CSCvc76627.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/99437
Vendor Advisory x_refsource_confirm
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc2
Scores
CVSS v3
9.8
EPSS
0.0293
EPSS Percentile
85.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-264
CWE-770
Status
published
Products (7)
cisco/elastic_services_controller
1.0.0
cisco/elastic_services_controller
1.1.0
cisco/elastic_services_controller
2.0
cisco/elastic_services_controller
2.1.0
cisco/elastic_services_controller
2.2.0
cisco/elastic_services_controller
2.3.0
n/a/Cisco Elastic Services Controller
Cisco Elastic Services Controller
Published
Jul 06, 2017
Tracked Since
Feb 18, 2026