Lucene search

CiscoCVE-2019-1863

HistoryAug 21, 2019 - 7:15 p.m.

CVE-2019-1863

2019-08-2119:15:14

CWE-285

cisco

web.nvd.nist.gov

cisco

imc

software

web-based

management interface

vulnerability

authentication

remote attacker

unauthorized changes

system configuration

insufficient authorization enforcement

http request

exploit

read-only privileges

critical system configurations

administrator privileges

cve-2019-1863

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.001

Percentile

46.8%

JSON

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to make unauthorized changes to the system configuration. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow a user with read-only privileges to change critical system configurations using administrator privileges.

Affected configurations

Nvd

Node

ciscounified_computing_systemMatch4.0\(1c\)hs3

Node

ciscointegrated_management_controller_supervisorRange1.5.0.0–1.5\(9g\)

ciscointegrated_management_controller_supervisorRange2.0.0.0–2.0\(13o\)

ciscointegrated_management_controller_supervisorRange3.0.0.0–3.0\(4k\)

ciscointegrated_management_controller_supervisorRange4.0.0.0–4.0\(4b\)

AND

ciscoencs_5100Match-

ciscoencs_5400Match-

ciscoucs-e1120d-m3Match-

ciscoucs-e140s-m2Match-

ciscoucs-e160d-m2Match-

ciscoucs-e160s-m3Match-

ciscoucs-e168d-m2Match-

ciscoucs-e180d-m3Match-

ciscoucs_c125_m5Match-

ciscoucs_c4200Match-

ciscoucs_s3260Match-

Node

ciscointegrated_management_controller_supervisorRange4.0.0.0–4.0\(1d\)

AND

ciscoencs_5100Match-

ciscoencs_5400Match-

ciscoucs-e1120d-m3Match-

ciscoucs-e140s-m2Match-

ciscoucs-e160d-m2Match-

ciscoucs-e160s-m3Match-

ciscoucs-e168d-m2Match-

ciscoucs-e180d-m3Match-

ciscoucs_c125_m5Match-

ciscoucs_c4200Match-

ciscoucs_s3260Match-

Node

ciscointegrated_management_controller_supervisorRange4.0.0.0–4.0\(2c\)

AND

ciscoencs_5100Match-

ciscoencs_5400Match-

ciscoucs-e1120d-m3Match-

ciscoucs-e140s-m2Match-

ciscoucs-e160d-m2Match-

ciscoucs-e160s-m3Match-

ciscoucs-e168d-m2Match-

ciscoucs-e180d-m3Match-

ciscoucs_c125_m5Match-

ciscoucs_c4200Match-

ciscoucs_s3260Match-

VendorProductVersionCPE
ciscounified_computing_system4.0(1c)hs3cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:*:*:*:*:*:*:*
ciscointegrated_management_controller_supervisor*cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*
ciscoencs_5100-cpe:2.3:h:cisco:encs_5100:-:*:*:*:*:*:*:*
ciscoencs_5400-cpe:2.3:h:cisco:encs_5400:-:*:*:*:*:*:*:*
ciscoucs-e1120d-m3-cpe:2.3:h:cisco:ucs-e1120d-m3:-:*:*:*:*:*:*:*
ciscoucs-e140s-m2-cpe:2.3:h:cisco:ucs-e140s-m2:-:*:*:*:*:*:*:*
ciscoucs-e160d-m2-cpe:2.3:h:cisco:ucs-e160d-m2:-:*:*:*:*:*:*:*
ciscoucs-e160s-m3-cpe:2.3:h:cisco:ucs-e160s-m3:-:*:*:*:*:*:*:*
ciscoucs-e168d-m2-cpe:2.3:h:cisco:ucs-e168d-m2:-:*:*:*:*:*:*:*
ciscoucs-e180d-m3-cpe:2.3:h:cisco:ucs-e180d-m3:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_computing_system	4.0(1c)hs3	cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:::::::*
cisco	integrated_management_controller_supervisor	*	cpe:2.3:a:cisco:integrated_management_controller_supervisor::::::::
cisco	encs_5100	-	cpe:2.3:h:cisco:encs_5100:-:::::::*
cisco	encs_5400	-	cpe:2.3:h:cisco:encs_5400:-:::::::*
cisco	ucs-e1120d-m3	-	cpe:2.3:h:cisco:ucs-e1120d-m3:-:::::::*
cisco	ucs-e140s-m2	-	cpe:2.3:h:cisco:ucs-e140s-m2:-:::::::*
cisco	ucs-e160d-m2	-	cpe:2.3:h:cisco:ucs-e160d-m2:-:::::::*
cisco	ucs-e160s-m3	-	cpe:2.3:h:cisco:ucs-e160s-m3:-:::::::*
cisco	ucs-e168d-m2	-	cpe:2.3:h:cisco:ucs-e168d-m2:-:::::::*
cisco	ucs-e180d-m3	-	cpe:2.3:h:cisco:ucs-e180d-m3:-:::::::*

Rows per page:

1-10 of 131

CNA Affected

[
  {
    "product": "Cisco Unified Computing System E-Series Software (UCSE)",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "2.0(13o)",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privilege

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.001

Percentile

46.8%

JSON

Related for CVE-2019-1863