Lucene search

CiscoCVE-2019-1917

HistoryJul 17, 2019 - 9:15 p.m.

CVE-2019-1917

2019-07-1721:15:11

CWE-287

cisco

web.nvd.nist.gov

cisco

vision

dynamic signage

director

rest api

authentication bypass

cve-2019-1917

vulnerability

nvd

cisco vision director

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.002

Percentile

51.7%

JSON

A vulnerability in the REST API interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on the affected system. The REST API is enabled by default and cannot be disabled.

Affected configurations

Nvd

Node

ciscovision_dynamic_signage_directorRange≤5.0

ciscovision_dynamic_signage_directorRange6.0–6.1

ciscovision_dynamic_signage_directorMatch5.0sp1

ciscovision_dynamic_signage_directorMatch5.0sp2

ciscovision_dynamic_signage_directorMatch5.0sp3

ciscovision_dynamic_signage_directorMatch5.0sp4

ciscovision_dynamic_signage_directorMatch5.0sp5

ciscovision_dynamic_signage_directorMatch5.0sp6

ciscovision_dynamic_signage_directorMatch5.0sp7

ciscovision_dynamic_signage_directorMatch5.0sp8

ciscovision_dynamic_signage_directorMatch6.1sp1

ciscovision_dynamic_signage_directorMatch6.1sp2

VendorProductVersionCPE
ciscovision_dynamic_signage_director*cpe:2.3:a:cisco:vision_dynamic_signage_director:*:*:*:*:*:*:*:*
ciscovision_dynamic_signage_director5.0cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp1:*:*:*:*:*:*
ciscovision_dynamic_signage_director5.0cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp2:*:*:*:*:*:*
ciscovision_dynamic_signage_director5.0cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp3:*:*:*:*:*:*
ciscovision_dynamic_signage_director5.0cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp4:*:*:*:*:*:*
ciscovision_dynamic_signage_director5.0cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp5:*:*:*:*:*:*
ciscovision_dynamic_signage_director5.0cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp6:*:*:*:*:*:*
ciscovision_dynamic_signage_director5.0cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp7:*:*:*:*:*:*
ciscovision_dynamic_signage_director5.0cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp8:*:*:*:*:*:*
ciscovision_dynamic_signage_director6.1cpe:2.3:a:cisco:vision_dynamic_signage_director:6.1:sp1:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	vision_dynamic_signage_director	*	cpe:2.3:a:cisco:vision_dynamic_signage_director::::::::
cisco	vision_dynamic_signage_director	5.0	cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp1::::::
cisco	vision_dynamic_signage_director	5.0	cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp2::::::
cisco	vision_dynamic_signage_director	5.0	cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp3::::::
cisco	vision_dynamic_signage_director	5.0	cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp4::::::
cisco	vision_dynamic_signage_director	5.0	cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp5::::::
cisco	vision_dynamic_signage_director	5.0	cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp6::::::
cisco	vision_dynamic_signage_director	5.0	cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp7::::::
cisco	vision_dynamic_signage_director	5.0	cpe:2.3:a:cisco:vision_dynamic_signage_director:5.0:sp8::::::
cisco	vision_dynamic_signage_director	6.1	cpe:2.3:a:cisco:vision_dynamic_signage_director:6.1:sp1::::::

Rows per page:

1-10 of 111

CNA Affected

[
  {
    "product": "Cisco Vision Dynamic Signage Director",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "6.1sp3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.securityfocus.com/bid/109301

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-cvdsd-wmauth

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.002

Percentile

51.7%

JSON

Related for CVE-2019-1917