Vulnerability Description
Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) and the IM & Presence Service in Cisco Unified Presence Server through 9.1(2) use the same CTI and database-encryption key across different customers' installations, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key, aka Bug IDs CSCsc69187 and CSCui01756. NOTE: the vendor has provided a statement that the "hard-coded static encryption key is considered a hardening issue rather than a vulnerability, and as such, has a CVSS score of 0/0."
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Unified Communications Manager | >= 7.1\(1\), <= 9.1\(2\) |
Related Weaknesses (CWE)
References
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20Vendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/85883Third Party AdvisoryVDB Entry
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20Vendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/85883Third Party AdvisoryVDB Entry
FAQ
What is CVE-2013-4869?
CVE-2013-4869 is a vulnerability with a CVSS score of 0.0 (LOW). Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) and the IM & Presence Service in Cisco Unified Presence Server through 9.1(2) use the same CTI and database-encryption key across diff...
How severe is CVE-2013-4869?
CVE-2013-4869 has been rated LOW with a CVSS base score of 0.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-4869?
Check the references section above for vendor advisories and patch information. Affected products include: Cisco Unified Communications Manager.