CVE-2019-1937 Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability

2019-08-2100:00:00

CWE-287

cisco

www.cve.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.406 Medium

EPSS

Percentile

97.3%

JSON

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.

CNA Affected

[
  {
    "vendor": "Cisco",
    "product": "Cisco Unified Computing System Director ",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "6.7.3.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]