Lucene search

CiscoCVE-2019-1907

HistoryAug 21, 2019 - 7:15 p.m.

CVE-2019-1907

2019-08-2119:15:15

CWE-285

cisco

web.nvd.nist.gov

cisco

imc

vulnerability

web server

authenticated

remote attacker

sensitive configuration

elevated privileges

nvd

cve-2019-1907

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.002

Percentile

51.7%

JSON

A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to set sensitive configuration values and gain elevated privileges. The vulnerability is due to improper handling of substring comparison operations that are performed by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker with read-only privileges to gain administrator privileges.

Affected configurations

Nvd

Node

ciscounified_computing_systemMatch4.0\(1c\)hs3

Node

ciscointegrated_management_controller_supervisorRange<4.0\(4b\)

AND

ciscoucs_c125_m5Match-

ciscoucs_c4200Match-

ciscoucs_s3260Match-

Node

ciscointegrated_management_controller_supervisorRange<4.0\(2f\)

AND

ciscoucs_c125_m5Match-

ciscoucs_c4200Match-

ciscoucs_s3260Match-

VendorProductVersionCPE
ciscounified_computing_system4.0(1c)hs3cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:*:*:*:*:*:*:*
ciscointegrated_management_controller_supervisor*cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*
ciscoucs_c125_m5-cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*
ciscoucs_c4200-cpe:2.3:h:cisco:ucs_c4200:-:*:*:*:*:*:*:*
ciscoucs_s3260-cpe:2.3:h:cisco:ucs_s3260:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_computing_system	4.0(1c)hs3	cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:::::::*
cisco	integrated_management_controller_supervisor	*	cpe:2.3:a:cisco:integrated_management_controller_supervisor::::::::
cisco	ucs_c125_m5	-	cpe:2.3:h:cisco:ucs_c125_m5:-:::::::*
cisco	ucs_c4200	-	cpe:2.3:h:cisco:ucs_c4200:-:::::::*
cisco	ucs_s3260	-	cpe:2.3:h:cisco:ucs_s3260:-:::::::*

CNA Affected

[
  {
    "product": "Cisco Unified Computing System (Management Software)",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "4.0(2f)",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privescal

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.002

Percentile

51.7%

JSON

Related for CVE-2019-1907