Lucene search

CiscoCVE-2019-1885

HistoryAug 21, 2019 - 7:15 p.m.

CVE-2019-1885

2019-08-2119:15:14

CWE-78

cisco

web.nvd.nist.gov

vulnerability

cisco

imc

redfish protocol

cve-2019-1885

nvd

security advisory

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.002

Percentile

55.3%

JSON

A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending crafted authenticated commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary commands on an affected device with root privileges.

Affected configurations

Nvd

Node

ciscounified_computing_systemMatch4.0\(1c\)hs3

Node

ciscointegrated_management_controller_supervisorRange3.0.0.0–3.0\(4k\)

ciscointegrated_management_controller_supervisorRange4.0.0.0–4.0\(4b\)

AND

ciscoucs_c125_m5Match-

ciscoucs_c4200Match-

ciscoucs_s3260Match-

Node

ciscointegrated_management_controller_supervisorRange4.0.0.0–4.0\(2f\)

AND

ciscoucs_c125_m5Match-

ciscoucs_c4200Match-

ciscoucs_s3260Match-

VendorProductVersionCPE
ciscounified_computing_system4.0(1c)hs3cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:*:*:*:*:*:*:*
ciscointegrated_management_controller_supervisor*cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*
ciscoucs_c125_m5-cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*
ciscoucs_c4200-cpe:2.3:h:cisco:ucs_c4200:-:*:*:*:*:*:*:*
ciscoucs_s3260-cpe:2.3:h:cisco:ucs_s3260:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_computing_system	4.0(1c)hs3	cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:::::::*
cisco	integrated_management_controller_supervisor	*	cpe:2.3:a:cisco:integrated_management_controller_supervisor::::::::
cisco	ucs_c125_m5	-	cpe:2.3:h:cisco:ucs_c125_m5:-:::::::*
cisco	ucs_c4200	-	cpe:2.3:h:cisco:ucs_c4200:-:::::::*
cisco	ucs_s3260	-	cpe:2.3:h:cisco:ucs_s3260:-:::::::*

CNA Affected

[
  {
    "product": "Cisco Unified Computing System (Management Software)",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "3.0(4k)",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-cimc

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.002

Percentile

55.3%

JSON

Related for CVE-2019-1885