ID

VAR-201903-0561


CVE

CVE-2019-1754


TITLE

Cisco IOS XE Software input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002958

DESCRIPTION

A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to improper validation of user privileges of web UI users. An attacker could exploit this vulnerability by submitting a malicious payload to a specific endpoint in the web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device. Cisco IOS XE The software contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug ID CSCvi36813

Trust: 1.98

sources: NVD: CVE-2019-1754 // JVNDB: JVNDB-2019-002958 // BID: 107590 // VULHUB: VHN-149796

AFFECTED PRODUCTS

vendor:ciscomodel:ios xescope:eqversion:16.8.1c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.7.1b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.9.1d

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.7.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.7.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1d

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.9.1s

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1e

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.9.1c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.9.1b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:3.2.0ja

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1s

Trust: 1.0

vendor:ciscomodel:ios xescope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xe softwarescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:iosscope:eqversion:16.7.1

Trust: 0.3

sources: BID: 107590 // JVNDB: JVNDB-2019-002958 // NVD: CVE-2019-1754

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1754
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1754
value: HIGH

Trust: 1.0

NVD: CVE-2019-1754
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201903-1097
value: HIGH

Trust: 0.6

VULHUB: VHN-149796
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1754
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-149796
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1754
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1754
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-149796 // JVNDB: JVNDB-2019-002958 // CNNVD: CNNVD-201903-1097 // NVD: CVE-2019-1754 // NVD: CVE-2019-1754

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

problemtype:CWE-269

Trust: 1.1

sources: VULHUB: VHN-149796 // JVNDB: JVNDB-2019-002958 // NVD: CVE-2019-1754

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-1097

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 107590 // CNNVD: CNNVD-201903-1097

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002958

PATCH

title:cisco-sa-20190327-iosxe-privescurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-privesc

Trust: 0.8

title:Cisco IOS XE Enter the fix for the verification vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90512

Trust: 0.6

sources: JVNDB: JVNDB-2019-002958 // CNNVD: CNNVD-201903-1097

EXTERNAL IDS

db:NVDid:CVE-2019-1754

Trust: 2.8

db:BIDid:107590

Trust: 2.0

db:JVNDBid:JVNDB-2019-002958

Trust: 0.8

db:CNNVDid:CNNVD-201903-1097

Trust: 0.7

db:VULHUBid:VHN-149796

Trust: 0.1

sources: VULHUB: VHN-149796 // BID: 107590 // JVNDB: JVNDB-2019-002958 // CNNVD: CNNVD-201903-1097 // NVD: CVE-2019-1754

REFERENCES

url:http://www.securityfocus.com/bid/107590

Trust: 2.3

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190327-iosxe-privesc

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1754

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1754

Trust: 0.8

url:https://vigilance.fr/vulnerability/cisco-ios-ios-xe-multiple-vulnerabilities-28888

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

sources: VULHUB: VHN-149796 // BID: 107590 // JVNDB: JVNDB-2019-002958 // CNNVD: CNNVD-201903-1097 // NVD: CVE-2019-1754

CREDITS

Cisco

Trust: 0.9

sources: BID: 107590 // CNNVD: CNNVD-201903-1097

SOURCES

db:VULHUBid:VHN-149796
db:BIDid:107590
db:JVNDBid:JVNDB-2019-002958
db:CNNVDid:CNNVD-201903-1097
db:NVDid:CVE-2019-1754

LAST UPDATE DATE

2024-08-14T15:18:06.351000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-149796date:2020-10-08T00:00:00
db:BIDid:107590date:2019-03-27T00:00:00
db:JVNDBid:JVNDB-2019-002958date:2019-04-26T00:00:00
db:CNNVDid:CNNVD-201903-1097date:2020-10-09T00:00:00
db:NVDid:CVE-2019-1754date:2020-10-08T21:01:46.750

SOURCES RELEASE DATE

db:VULHUBid:VHN-149796date:2019-03-28T00:00:00
db:BIDid:107590date:2019-03-27T00:00:00
db:JVNDBid:JVNDB-2019-002958date:2019-04-26T00:00:00
db:CNNVDid:CNNVD-201903-1097date:2019-03-27T00:00:00
db:NVDid:CVE-2019-1754date:2019-03-28T01:29:00.283