Lucene search

[email protected]CVE-2019-1716

HistoryMar 22, 2019 - 8:29 p.m.

CVE-2019-1716

2019-03-2220:29:00

CWE-20

[email protected]

web.nvd.nist.gov

cisco

sip

software

vulnerability

dos

arbitrary code

exploit

http

cisco ip phone

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

79.1%

JSON

A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability exists because the software improperly validates user-supplied input during user authentication. An attacker could exploit this vulnerability by connecting to an affected device using HTTP and supplying malicious user credentials. A successful exploit could allow the attacker to trigger a reload of an affected device, resulting in a DoS condition, or to execute arbitrary code with the privileges of the app user. Cisco fixed this vulnerability in the following SIP Software releases: 10.3(1)SR5 and later for Cisco Unified IP Conference Phone 8831; 11.0(4)SR3 and later for Cisco Wireless IP Phone 8821 and 8821-EX; and 12.5(1)SR1 and later for the rest of the Cisco IP Phone 7800 Series and 8800 Series.

Affected configurations

NVD

Node

ciscoip_phone_8821_firmwareRange<11.0\(4\)sr3

AND

ciscoip_phone_8821Match-

Node

ciscoip_phone_8821-ex_firmwareRange<11.0\(4\)sr3

AND

ciscoip_phone_8821-exMatch-

Node

ciscoip_conference_phone_7800_firmwareRange<12.5\(1\)sr1

AND

ciscoip_conference_phone_7800Match-

Node

ciscoip_phone_8800_firmwareRange<12.5\(1\)sr1

AND

ciscoip_phone_8800Match-

Node

ciscounified_ip_conferenece_phone_8831_firmwareRange<10.3\(1\)sr5

AND

ciscounified_ip_conferenece_phone_8831Match-

CPENameOperatorVersion
cisco:ip_phone_8821_firmwarecisco ip phone 8821 firmwarelt11.0\(4\)sr3

CPE	Name	Operator	Version
cisco:ip_phone_8821_firmware	cisco ip phone 8821 firmware	lt	11.0\(4\)sr3

CNA Affected

[
  {
    "product": "Cisco Unified IP Conference Phone 8831",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "10.3(1)SR5",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Cisco Wireless IP Phone 8821 and 8821-EX",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "11.0(4)SR3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Cisco IP Phone 7800 Series and 8800 Series",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "12.5(1)SR1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-rce

Social References

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

79.1%

JSON

Related for CVE-2019-1716

prion1 cvelist1 nvd1 cisco1 nessus1