CVE-2018-0134
MEDIUMCisco Mobility Services Engine - Unauthenticated Sensitive Information Exposure via RADIUS Authentication Response
Title source: llmDescription
A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid. The vulnerability occurs because the Cisco Policy Suite RADIUS server component returns different authentication failure messages based on the validity of usernames. An attacker could use these messages to determine whether a valid subscriber username has been identified. The attacker could use this information in subsequent attacks against the system. Cisco Bug IDs: CSCvg47830.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/102954
Vendor Advisory x_refsource_confirm
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-cps1
Scores
CVSS v3
5.3
EPSS
0.0145
EPSS Percentile
69.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-203
Status
published
Products (2)
cisco/mobility_services_engine
13.0.0
cisco/mobility_services_engine
13.1.0
Published
Feb 08, 2018
Tracked Since
Feb 18, 2026