CVE-2014-2358 - Vulnerability Details - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create administrative users, (2) remove administrative users, or (3) change permissions.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fox-it	Fox Datadiode

Configuration 1 [-]

cpe:2.3:h:fox-it:fox_datadiode:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://ics-cert.us-cert.gov/advisories/ICSA-14-269-02
https://www.cisa.gov/news-events/ics-advisories/icsa-14-269-02

History

Fri, 03 Oct 2025 17:30:00 +0000

Type	Values Removed	Values Added
Title		Fox-IT DataDiode Appliance CSRF
References		https://www.cisa.gov/news-events/ics-advisories/icsa-14-269-02
Metrics	cvssV2_0 `{'score': 6.8, 'vector': 'AV:N/AC:M/Au:N/C:P/I:P/A:P'}`	cvssV2_0 `{'score': 4.3, 'vector': 'AV:N/AC:M/Au:N/C:N/I:N/A:P'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2014-10-19T01:00:00

Updated: 2025-10-03T17:19:27.344Z

Reserved: 2014-03-13T00:00:00

Link: CVE-2014-2358

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-10-19T01:55:10.107

Modified: 2025-10-03T18:15:34.077

Link: CVE-2014-2358

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "DataDiode Appliance", "vendor": "Fox-IT", "versions": [{"lessThanOrEqual": "1.7.1", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "1.7.2"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tudor Enache of HelpAG"}], "datePublic": "2014-10-16T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create administrative users, (2) remove administrative users, or (3) change permissions.</p>"}], "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create administrative users, (2) remove administrative users, or (3) change permissions."}], "metrics": [{"cvssV2_0": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-10-03T17:19:27.344Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-269-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Fox-IT has released Version 1.7.2 of the Fox DataDiode Appliance that\n resolves the reported vulnerability. A Fox-IT product advisory titled \n\u201cFox DataDiode Appliance 1.7.2 advisory,\u201d containing background and \npreparation information, as well as the upgrade instructions, are \navailable by contacting the local Fox-IT customer support.</p>\n<p>Fox-IT also recommends the following actions:</p>\n<ul>\n<li>All users of the Fox DataDiode Appliance should upgrade their systems to Version 1.7.2.</li>\n<li>This installation consists of a reinstallation of the new version of\n the software. Therefore, the existing software configuration should be \nexported before this upgrade. This configuration can then be restored \nafter the upgrade.</li>\n<li>Users are advised to change all passwords of administrator and user \naccounts in the Fox DataDiode Appliance, plus passwords used for FTP/SSL\n connections.</li>\n</ul>\n\n<br>"}], "value": "Fox-IT has released Version 1.7.2 of the Fox DataDiode Appliance that\n resolves the reported vulnerability. A Fox-IT product advisory titled \n\u201cFox DataDiode Appliance 1.7.2 advisory,\u201d containing background and \npreparation information, as well as the upgrade instructions, are \navailable by contacting the local Fox-IT customer support.\n\n\nFox-IT also recommends the following actions:\n\n\n\n * All users of the Fox DataDiode Appliance should upgrade their systems to Version 1.7.2.\n\n * This installation consists of a reinstallation of the new version of\n the software. Therefore, the existing software configuration should be \nexported before this upgrade. This configuration can then be restored \nafter the upgrade.\n\n * Users are advised to change all passwords of administrator and user \naccounts in the Fox DataDiode Appliance, plus passwords used for FTP/SSL\n connections."}], "source": {"advisory": "ICSA-14-269-02", "discovery": "EXTERNAL"}, "title": "Fox-IT DataDiode Appliance CSRF", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2014-2358", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create administrative users, (2) remove administrative users, or (3) change permissions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-269-02", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-269-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:14:25.516Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-269-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-2358", "datePublished": "2014-10-19T01:00:00", "dateReserved": "2014-03-13T00:00:00", "dateUpdated": "2025-10-03T17:19:27.344Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:fox-it:fox_datadiode:*:*:*:*:*:*:*:*", "matchCriteriaId": "312C1C72-F161-4547-BF38-51402F48E5A4", "versionEndIncluding": "1.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create administrative users, (2) remove administrative users, or (3) change permissions."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de CSRF en la interfaz web de administraci\u00f3n en el servidor proxy en los dispositivos Fox-IT Fox DataDiode anterior a 1.7.2 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para solicitudes que (1) crean usuarios administrativos, (2) eliminan usuarios administrativos o (3) cambian permisos."}], "id": "CVE-2014-2358", "lastModified": "2025-10-03T18:15:34.077", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "ics-cert@hq.dhs.gov", "type": "Secondary", "userInteractionRequired": true}, {"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-10-19T01:55:10.107", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-269-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-269-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Secondary"}]}