Sign-up

ID

VAR-201902-0463


CVE

CVE-2019-1698


TITLE

Cisco Internet of Things Field Network Director In software XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-001945

DESCRIPTION

A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by importing a crafted XML file with malicious entries, which could allow the attacker to read files within the affected application. Versions prior to 4.4(0.26) are affected. Cisco IoT Field Network Director (IoT-FND) is a set of end-to-end IoT management systems from Cisco (USA). The system has functions such as equipment management, asset tracking and intelligent metering. This issue is being tracked by Cisco bug ID CSCvm85075

Trust: 3.06

sources: NVD: CVE-2019-1698 // JVNDB: JVNDB-2019-001945 // CNVD: CNVD-2020-12733 // CNNVD: CNNVD-201902-798 // BID: 107093 // VULHUB: VHN-149180

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-12733

AFFECTED PRODUCTS

vendor:ciscomodel:iot field network directorscope:ltversion:4.4(0.26)

Trust: 1.4

vendor:ciscomodel:iot field network directorscope:ltversion:4.4\(0.26\)

Trust: 1.0

vendor:ciscomodel:network level servicescope:eqversion:4.2(1.2)

Trust: 0.3

vendor:ciscomodel:network level servicescope:neversion:4.4(0.26)

Trust: 0.3

sources: CNVD: CNVD-2020-12733 // BID: 107093 // JVNDB: JVNDB-2019-001945 // NVD: CVE-2019-1698

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1698
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1698
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1698
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-12733
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201902-798
value: MEDIUM

Trust: 0.6

VULHUB: VHN-149180
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1698
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-12733
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-149180
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1698
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.0

Trust: 2.8

sources: CNVD: CNVD-2020-12733 // VULHUB: VHN-149180 // JVNDB: JVNDB-2019-001945 // CNNVD: CNNVD-201902-798 // NVD: CVE-2019-1698 // NVD: CVE-2019-1698

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.9

sources: VULHUB: VHN-149180 // JVNDB: JVNDB-2019-001945 // NVD: CVE-2019-1698

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-798

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201902-798

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-001945

PATCH
title:cisco-sa-20190220-iot-fnd-xmlurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-iot-fnd-xml
Trust: 0.8
title:Patch for Cisco IoT Field Network Director XML External Entity Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/203051
Trust: 0.6
title:Cisco IoT Field Network Director Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89592
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-12733 // 
            
            
            
            JVNDB: JVNDB-2019-001945 // 
            
            
            
            CNNVD: CNNVD-201902-798

EXTERNAL IDS
db:NVDid:CVE-2019-1698
Trust: 3.4
db:BIDid:107093
Trust: 2.0
db:JVNDBid:JVNDB-2019-001945
Trust: 0.8
db:CNVDid:CNVD-2020-12733
Trust: 0.7
db:CNNVDid:CNNVD-201902-798
Trust: 0.7
db:NSFOCUSid:42791
Trust: 0.6
db:AUSCERTid:ESB-2019.0534
Trust: 0.6
db:VULHUBid:VHN-149180
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-12733 // 
            
            
            
            VULHUB: VHN-149180 // 
            
            
            
            BID: 107093 // 
            
            
            
            JVNDB: JVNDB-2019-001945 // 
            
            
            
            CNNVD: CNNVD-201902-798 // 
            
            
            
            NVD: CVE-2019-1698

REFERENCES
url:http://www.securityfocus.com/bid/107093
Trust: 2.3
url:https://nvd.nist.gov/vuln/detail/cve-2019-1698
Trust: 2.0
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-iot-fnd-xml
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1698
Trust: 0.8
url:https://www.auscert.org.au/bulletins/75882
Trust: 0.6
url:http://www.nsfocus.net/vulndb/42791
Trust: 0.6
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2020-12733 // 
            
            
            
            VULHUB: VHN-149180 // 
            
            
            
            BID: 107093 // 
            
            
            
            JVNDB: JVNDB-2019-001945 // 
            
            
            
            CNNVD: CNNVD-201902-798 // 
            
            
            
            NVD: CVE-2019-1698

CREDITS
This vulnerability was found during internal security testing.,Cisco,vendor ?? ??
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-798

SOURCES
db:CNVDid:CNVD-2020-12733
db:VULHUBid:VHN-149180
db:BIDid:107093
db:JVNDBid:JVNDB-2019-001945
db:CNNVDid:CNNVD-201902-798
db:NVDid:CVE-2019-1698

LAST UPDATE DATE
2024-11-23T23:08:27.434000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-12733date:2020-02-23T00:00:00
db:VULHUBid:VHN-149180date:2019-10-09T00:00:00
db:BIDid:107093date:2019-02-20T00:00:00
db:JVNDBid:JVNDB-2019-001945date:2019-03-29T00:00:00
db:CNNVDid:CNNVD-201902-798date:2019-10-17T00:00:00
db:NVDid:CVE-2019-1698date:2024-11-21T04:37:07.587

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-12733date:2020-02-23T00:00:00
db:VULHUBid:VHN-149180date:2019-02-21T00:00:00
db:BIDid:107093date:2019-02-20T00:00:00
db:JVNDBid:JVNDB-2019-001945date:2019-03-29T00:00:00
db:CNNVDid:CNNVD-201902-798date:2019-02-21T00:00:00
db:NVDid:CVE-2019-1698date:2019-02-21T21:29:00.267