Details of VAR-201704-1334

ID

VAR-201704-1334

CVE

CVE-2017-6619

TITLE

Cisco Integrated Management Controller of Web Base of GUI Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003239

DESCRIPTION

A vulnerability in the web-based GUI of Cisco Integrated Management Controller (IMC) 3.0(1c) could allow an authenticated, remote attacker to execute arbitrary commands on an affected system. The vulnerability exists because the affected software does not sufficiently sanitize user-supplied HTTP input. An attacker could exploit this vulnerability by sending an HTTP POST request that contains crafted, deserialized user data to the affected software. A successful exploit could allow the attacker to execute arbitrary commands with root-level privileges on the affected system, which the attacker could use to conduct further attacks. Cisco Bug IDs: CSCvd14591. Vendors have confirmed this vulnerability Bug ID CSCvd14591 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out

Trust: 1.98

sources: NVD: CVE-2017-6619 // JVNDB: JVNDB-2017-003239 // BID: 97925 // VULHUB: VHN-114822

AFFECTED PRODUCTS

vendor:	cisco	model:	integrated management controller supervisor	scope:	eq	version:	3.0\(1c\)	Trust: 1.6
vendor:	cisco	model:	integrated management controller supervisor	scope:	eq	version:	3.0(1c)	Trust: 0.8
vendor:	cisco	model:	integrated management controller 1.4	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	unified computing system 3.0	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	integrated management controller 3.0	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(9)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(8)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(7)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(6)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(5)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(4)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(3)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(2)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(13)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(12)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(11)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	2.0(1)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.5(9)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.5(8)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.5(7)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.5(6)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.5(5)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.5(4)	Trust: 0.3
vendor:	cisco	model:	integrated management controller 1.5	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.5(1)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.4(8)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.4(7)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.4(6)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.4(5)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.4(4)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.4(2)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	1.4(1)	Trust: 0.3
vendor:	cisco	model:	integrated management controller	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified computing system 3.0	scope:	ne	version:	-	Trust: 0.3

sources: BID: 97925 // JVNDB: JVNDB-2017-003239 // CNNVD: CNNVD-201704-1053 // NVD: CVE-2017-6619

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6619
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-6619
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201704-1053
value:	HIGH
Trust: 0.6
VULHUB:	VHN-114822
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-6619
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-114822
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6619
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-114822 // JVNDB: JVNDB-2017-003239 // CNNVD: CNNVD-201704-1053 // NVD: CVE-2017-6619

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-114822 // JVNDB: JVNDB-2017-003239 // NVD: CVE-2017-6619

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-1053

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 97925 // CNNVD: CNNVD-201704-1053

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003239

PATCH

title:	cisco-sa-20170419-cimc	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-cimc	Trust: 0.8
title:	Cisco Integrated Management Controller Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69451	Trust: 0.6

sources: JVNDB: JVNDB-2017-003239 // CNNVD: CNNVD-201704-1053

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6619	Trust: 2.8
db:	BID	id:	97925	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-003239	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-1053	Trust: 0.6
db:	VULHUB	id:	VHN-114822	Trust: 0.1

sources: VULHUB: VHN-114822 // BID: 97925 // JVNDB: JVNDB-2017-003239 // CNNVD: CNNVD-201704-1053 // NVD: CVE-2017-6619

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170419-cimc	Trust: 2.0
url:	http://www.securityfocus.com/bid/97925	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6619	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6619	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-114822 // BID: 97925 // JVNDB: JVNDB-2017-003239 // CNNVD: CNNVD-201704-1053 // NVD: CVE-2017-6619

CREDITS

Cisco

Trust: 0.3

sources: BID: 97925

SOURCES

db:	VULHUB	id:	VHN-114822
db:	BID	id:	97925
db:	JVNDB	id:	JVNDB-2017-003239
db:	CNNVD	id:	CNNVD-201704-1053
db:	NVD	id:	CVE-2017-6619

LAST UPDATE DATE

2024-11-23T21:41:21.853000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114822	date:	2019-10-09T00:00:00
db:	BID	id:	97925	date:	2017-09-25T18:00:00
db:	JVNDB	id:	JVNDB-2017-003239	date:	2017-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201704-1053	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-6619	date:	2024-11-21T03:30:08.530

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114822	date:	2017-04-20T00:00:00
db:	BID	id:	97925	date:	2017-04-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-003239	date:	2017-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201704-1053	date:	2017-04-21T00:00:00
db:	NVD	id:	CVE-2017-6619	date:	2017-04-20T22:59:00.887