CVE-2006-1672

CWE-399 CWE-94 — Code Injection4 documents4 sources

Severity

7.5HIGH

EPSS

3.8%

top 11.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco ONS 15310-cl Series Cisco ONS 15600 Cisco Optical Networking Systems Software +1 more

Timeline

PublishedApr 7

Latest updateMay 1

Description

The installation of Cisco Transport Controller (CTC) for Cisco Optical Networking System (ONS) 15000 series nodes adds a Java policy file entry with a wildcard that grants the java.security.AllPermission permission to any http URL containing "fs/LAUNCHER.jar", which allows remote attackers to execute arbitrary code on a CTC workstation, aka bug ID CSCea25049.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

▶NVDcisco/optical_networking_systems_software20 versions+19

▶NVDcisco/transport_controller4.0.x

▶NVDcisco/ons_15310-cl_series0

▶NVDcisco/ons_156000

🔴Vulnerability Details

GHSA

GHSA-34wc-p67w-xmgr: The installation of Cisco Transport Controller (CTC) for Cisco Optical Networking System (ONS) 15000 series nodes adds a Java policy file entry with a↗2022-05-01

▶

CVEList

CVE-2006-1672: The installation of Cisco Transport Controller (CTC) for Cisco Optical Networking System (ONS) 15000 series nodes adds a Java policy file entry with a↗2006-04-07

▶

📋Vendor Advisories

Cisco

Cisco Optical Networking System 15000 Series and Cisco Transport Controller Vulnerabilities↗2006-04-05

▶