Lucene search

CiscoCVE-2019-1626

HistoryJun 20, 2019 - 3:15 a.m.

CVE-2019-1626

2019-06-2003:15:11

CWE-264

CWE-863

cisco

web.nvd.nist.gov

175

vmanage

cisco

sd-wan

vulnerability

web-based ui

nvd

cve-2019-1626

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.002

Percentile

59.0%

JSON

A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device. The vulnerability is due to a failure to properly authorize certain user actions in the device configuration. An attacker could exploit this vulnerability by logging in to the vManage Web UI and sending crafted HTTP requests to vManage. A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make.

Affected configurations

Nvd

Node

ciscosd-wan_firmwareRange≤18.3.6

AND

ciscovedge-100Match-

ciscovedge-1000Match-

ciscovedge-100bMatch-

ciscovedge-2000Match-

ciscovedge-5000Match-

ciscovedge_100mMatch-

ciscovedge_100wmMatch-

VendorProductVersionCPE
ciscosd-wan_firmware*cpe:2.3:o:cisco:sd-wan_firmware:*:*:*:*:*:*:*:*
ciscovedge-100-cpe:2.3:h:cisco:vedge-100:-:*:*:*:*:*:*:*
ciscovedge-1000-cpe:2.3:h:cisco:vedge-1000:-:*:*:*:*:*:*:*
ciscovedge-100b-cpe:2.3:h:cisco:vedge-100b:-:*:*:*:*:*:*:*
ciscovedge-2000-cpe:2.3:h:cisco:vedge-2000:-:*:*:*:*:*:*:*
ciscovedge-5000-cpe:2.3:h:cisco:vedge-5000:-:*:*:*:*:*:*:*
ciscovedge_100m-cpe:2.3:h:cisco:vedge_100m:-:*:*:*:*:*:*:*
ciscovedge_100wm-cpe:2.3:h:cisco:vedge_100wm:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	sd-wan_firmware	*	cpe:2.3:o:cisco:sd-wan_firmware::::::::
cisco	vedge-100	-	cpe:2.3:h:cisco:vedge-100:-:::::::*
cisco	vedge-1000	-	cpe:2.3:h:cisco:vedge-1000:-:::::::*
cisco	vedge-100b	-	cpe:2.3:h:cisco:vedge-100b:-:::::::*
cisco	vedge-2000	-	cpe:2.3:h:cisco:vedge-2000:-:::::::*
cisco	vedge-5000	-	cpe:2.3:h:cisco:vedge-5000:-:::::::*
cisco	vedge_100m	-	cpe:2.3:h:cisco:vedge_100m:-:::::::*
cisco	vedge_100wm	-	cpe:2.3:h:cisco:vedge_100wm:-:::::::*

CNA Affected

[
  {
    "product": "Cisco SD-WAN Solution",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "18.4.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.securityfocus.com/bid/108838

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-sdwan-privilescal

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.002

Percentile

59.0%

JSON

Related for CVE-2019-1626