Lucene search

[email protected]CVE-2019-1974

HistoryAug 21, 2019 - 7:15 p.m.

CVE-2019-1974

2019-08-2119:15:15

CWE-287

[email protected]

web.nvd.nist.gov

cisco

imc

ucs director

authentication bypass

vulnerability

security

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.007 Low

EPSS

Percentile

79.8%

JSON

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to bypass user authentication and gain access as an administrative user. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to gain full administrative access to the affected device.

Affected configurations

NVD

Node

ciscointegrated_management_controller_supervisorRange2.2.0.0–2.2.0.6

ciscointegrated_management_controller_supervisorMatch2.1.0.0

Node

ciscoucs_directorRange5.5.0.0–5.5.0.2

ciscoucs_directorRange6.0.0.0–6.0.1.3

ciscoucs_directorRange6.5.0.0–6.5.0.3

ciscoucs_directorRange6.6.0.0–6.6.1.0

ciscoucs_directorRange6.7.0.0–6.7.2.0

ciscoucs_directorMatch6.7\(1.1\)

ciscoucs_directorMatch6.7\(2.0\)

Node

ciscoucs_director_express_for_big_dataRange2.1.0.0–2.1.0.2

ciscoucs_director_express_for_big_dataRange3.0.0.0–3.0.1.3

ciscoucs_director_express_for_big_dataRange3.5.0.0–3.5.0.3

ciscoucs_director_express_for_big_dataRange3.7.0.0–3.7.2.0

ciscoucs_director_express_for_big_dataMatch3.6.0.0

ciscoucs_director_express_for_big_dataMatch3.6.1.0

CPENameOperatorVersion
cisco:integrated_management_controller_supervisorcisco integrated management controller supervisorle2.2.0.6
cisco:integrated_management_controller_supervisorcisco integrated management controller supervisoreq2.1.0.0

CPE	Name	Operator	Version
cisco:integrated_management_controller_supervisor	cisco integrated management controller supervisor	le	2.2.0.6
cisco:integrated_management_controller_supervisor	cisco integrated management controller supervisor	eq	2.1.0.0

CNA Affected

[
  {
    "product": "Cisco Unified Computing System Director ",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "6.7.3.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authbypass

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.007 Low

EPSS

Percentile

79.8%

JSON

Related for CVE-2019-1974

prion1 cisco1 nessus1 cvelist1 nvd1 threatpost1