Sign-up

ID

VAR-201902-0422


CVE

CVE-2019-1666


TITLE

Cisco HyperFlex Software access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-001944

DESCRIPTION

A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted requests to the Graphite service. A successful exploit could allow the attacker to retrieve any statistics from the Graphite service. Versions prior to 3.5(2a) are affected. Cisco HyperFlex There is an access control vulnerability in the software.Information may be obtained. An attacker can exploit this issue to access arbitrary files in the context of the application, which may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvj95580. Cisco HyperFlex Software is a set of scalable distributed file systems from Cisco. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services

Trust: 2.07

sources: NVD: CVE-2019-1666 // JVNDB: JVNDB-2019-001944 // BID: 107108 // VULHUB: VHN-148828 // VULMON: CVE-2019-1666

AFFECTED PRODUCTS

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:2.6\(1e\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.5\(1a\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1b\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1d\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:2.6\(1a\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1e\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1h\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1i\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1c\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1a\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:2.6\(1d\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:2.6\(1b\)

Trust: 1.0

vendor:ciscomodel:hyperflexscope:ltversion:3.5(2a)

Trust: 0.8

vendor:ciscomodel:hyperflex hx-series 3.0scope: - version: -

Trust: 0.3

vendor:ciscomodel:hyperflex software 3.5scope:neversion: -

Trust: 0.3

sources: BID: 107108 // JVNDB: JVNDB-2019-001944 // NVD: CVE-2019-1666

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1666
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1666
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1666
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201902-795
value: MEDIUM

Trust: 0.6

VULHUB: VHN-148828
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-1666
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1666
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-148828
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1666
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1666
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-148828 // VULMON: CVE-2019-1666 // JVNDB: JVNDB-2019-001944 // CNNVD: CNNVD-201902-795 // NVD: CVE-2019-1666 // NVD: CVE-2019-1666

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.9

problemtype:CWE-287

Trust: 1.1

sources: VULHUB: VHN-148828 // JVNDB: JVNDB-2019-001944 // NVD: CVE-2019-1666

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-795

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201902-795

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-001944

PATCH
title:cisco-sa-20190220-hyper-retrieveurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-retrieve
Trust: 0.8
title:Cisco HyperFlex Software Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89589
Trust: 0.6
title:Cisco: Cisco HyperFlex Unauthenticated Statistics Retrieval Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190220-hyper-retrieve
Trust: 0.1
title:rconfig-cvesurl:https://github.com/fab1ano/rconfig-cves 
Trust: 0.1
title: - url:https://github.com/ExpLangcn/FuYao-Go 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-1666 // 
            
            
            
            JVNDB: JVNDB-2019-001944 // 
            
            
            
            CNNVD: CNNVD-201902-795

EXTERNAL IDS
db:NVDid:CVE-2019-1666
Trust: 2.9
db:BIDid:107108
Trust: 2.0
db:JVNDBid:JVNDB-2019-001944
Trust: 0.8
db:CNNVDid:CNNVD-201902-795
Trust: 0.7
db:NSFOCUSid:42794
Trust: 0.6
db:AUSCERTid:ESB-2019.0532.3
Trust: 0.6
db:VULHUBid:VHN-148828
Trust: 0.1
db:VULMONid:CVE-2019-1666
Trust: 0.1
sources:
            
            
            VULHUB: VHN-148828 // 
            
            
            
            VULMON: CVE-2019-1666 // 
            
            
            
            BID: 107108 // 
            
            
            
            JVNDB: JVNDB-2019-001944 // 
            
            
            
            CNNVD: CNNVD-201902-795 // 
            
            
            
            NVD: CVE-2019-1666

REFERENCES
url:http://www.securityfocus.com/bid/107108
Trust: 2.3
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-hyper-retrieve
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1666
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1666
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-hyper-xss
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-chn-root-access
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-hyperflex-injection
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-hyper-write
Trust: 0.6
url:https://www.auscert.org.au/bulletins/75874
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.0532.3/
Trust: 0.6
url:http://www.nsfocus.net/vulndb/42794
Trust: 0.6
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-148828 // 
            
            
            
            BID: 107108 // 
            
            
            
            JVNDB: JVNDB-2019-001944 // 
            
            
            
            CNNVD: CNNVD-201902-795 // 
            
            
            
            NVD: CVE-2019-1666

CREDITS
This vulnerability was found during internal security testing.,Cisco,vendor ?? ??
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-795

SOURCES
db:VULHUBid:VHN-148828
db:VULMONid:CVE-2019-1666
db:BIDid:107108
db:JVNDBid:JVNDB-2019-001944
db:CNNVDid:CNNVD-201902-795
db:NVDid:CVE-2019-1666

LAST UPDATE DATE
2024-11-23T21:52:30.411000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-148828date:2020-10-05T00:00:00
db:VULMONid:CVE-2019-1666date:2020-10-05T00:00:00
db:BIDid:107108date:2019-02-20T00:00:00
db:JVNDBid:JVNDB-2019-001944date:2019-03-29T00:00:00
db:CNNVDid:CNNVD-201902-795date:2020-10-09T00:00:00
db:NVDid:CVE-2019-1666date:2024-11-21T04:37:03.137

SOURCES RELEASE DATE
db:VULHUBid:VHN-148828date:2019-02-21T00:00:00
db:VULMONid:CVE-2019-1666date:2019-02-21T00:00:00
db:BIDid:107108date:2019-02-20T00:00:00
db:JVNDBid:JVNDB-2019-001944date:2019-03-29T00:00:00
db:CNNVDid:CNNVD-201902-795date:2019-02-21T00:00:00
db:NVDid:CVE-2019-1666date:2019-02-21T19:29:00.460