You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
There appears to be a significant number of advisories without version information. These advisories sometimes have linked bug pages with some affected versions on them, but this data is not available via the API.
Additionally when one of these affected versions is queried for vulnerabilities via the API the advisories in question do not appear in the API response. This is a false negative (Cisco indicates a version is not affected by a vulnerability via the API, but in fact the version is affected).
This issue extends past the API to the CVRF available for download on the advisory webpages.
To Reproduce
Steps to reproduce the behavior:
Use the API to retrieve affected versions for one of the following advisories:
Observe product_names attribute only includes "Cisco NX-OS Software " without version information.
Example:
$ openVulnQuery --config cisco-api.json --advisory cisco-sa-20180117-nxos1
[
{
"advisory_id": "cisco-sa-20180117-nxos1",
"advisory_title": "Cisco NX-OS System Software Unauthorized User Account Deletion Vulnerability",
"bug_ids": [
"CSCvg21120"
],
"cves": [
"CVE-2018-0092"
],
"cvrfUrl": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1/cvrf/cisco-sa-20180117-nxos1_cvrf.xml",
"cvss_base_score": "6.1",
"cwe": [
"CWE-264"
],
"first_published": "2018-01-17T16:00:00-0800",
"ips_signatures": [
"NA"
],
"last_updated": "2018-01-17T16:00:00-0800",
"product_names": [
"Cisco NX-OS Software "
],
"publication_url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1",
"sir": "Medium",
"summary": "A vulnerability in the <em>network-operator</em> user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The <em>network-operator</em> role should not be able to delete other configured users on the device.<br />\n<br />\nThe vulnerability is due to a lack of proper role-based access control (RBAC) checks for the actions that a user with the <em>network-operator</em> role is allowed to perform. An attacker could exploit this vulnerability by authenticating to the device with user credentials that give that user the <em>network-operator</em> role. Successful exploitation could allow the attacker to impact the integrity of the device by deleting configured user credentials. The attacker would need valid user credentials for the device.<br />\n<br />\nThere are no workarounds that address this vulnerability.<br />\n<br />\nThis advisory is available at the following link:<br />\n<a href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1</a>"
}
Manually retrieve an affected version from a bug page attached to one of these advisories (eg 7.0(3)I6(1) from CSCvg21120 via cisco-sa-20180117-nxos1. A browser must be used to access this data.
Make a call to the API looking for advisories that affect that version
Observe the advisory is not in the response from the API.
Describe the bug
There appears to be a significant number of advisories without version information. These advisories sometimes have linked bug pages with some affected versions on them, but this data is not available via the API.
Additionally when one of these affected versions is queried for vulnerabilities via the API the advisories in question do not appear in the API response. This is a false negative (Cisco indicates a version is not affected by a vulnerability via the API, but in fact the version is affected).
This issue extends past the API to the CVRF available for download on the advisory webpages.
To Reproduce
Steps to reproduce the behavior:
product_names
attribute only includes"Cisco NX-OS Software "
without version information.Example:
7.0(3)I6(1)
from CSCvg21120 via cisco-sa-20180117-nxos1. A browser must be used to access this data.Expected behavior
Screenshots
Please see API responses above.
Client Info
Additional context
I made a post on the Cisco Community about this issue and was directed to create an issue here. Please see this discussion for additional context
The text was updated successfully, but these errors were encountered: