Details of VAR-201903-0562

ID

VAR-201903-0562

CVE

CVE-2019-1755

TITLE

Cisco IOS XE Software input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002959

DESCRIPTION

A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted HTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands on the affected device. Cisco IOS XE The software contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The vulnerability stems from the fact that the program does not properly filter the input submitted by the user

Trust: 2.07

sources: NVD: CVE-2019-1755 // JVNDB: JVNDB-2019-002959 // BID: 107380 // VULHUB: VHN-149807 // VULMON: CVE-2019-1755

AFFECTED PRODUCTS

vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.5	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.7.1b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.4.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	3.6.10e	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.5.1b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.5.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.4	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	3.2.0ja	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.6.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.7	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.6.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.5.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.7.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.8.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.8.1e	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.8.1b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.6.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.1.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.7.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.2.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.8	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.8.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.8.1c	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.5b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.6	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.5.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.5.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.8.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.1.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.1.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.8.1d	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.4.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.4.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.2.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ios xe software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	ios	scope:	eq	version:	16.7.1	Trust: 0.3
vendor:	cisco	model:	ios fuji	scope:	eq	version:	16.9.1	Trust: 0.3
vendor:	cisco	model:	ios fuji	scope:	eq	version:	16.8.1	Trust: 0.3

sources: BID: 107380 // JVNDB: JVNDB-2019-002959 // NVD: CVE-2019-1755

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1755
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1755
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1755
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201903-1090
value:	HIGH
Trust: 0.6
VULHUB:	VHN-149807
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-1755
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1755
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-149807
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1755
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8
ykramarz@cisco.com:	CVE-2019-1755
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.2
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-149807 // VULMON: CVE-2019-1755 // JVNDB: JVNDB-2019-002959 // CNNVD: CNNVD-201903-1090 // NVD: CVE-2019-1755 // NVD: CVE-2019-1755

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-149807 // JVNDB: JVNDB-2019-002959 // NVD: CVE-2019-1755

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-1090

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 107380 // CNNVD: CNNVD-201903-1090

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002959

PATCH

title:	cisco-sa-20190327-iosxe-cmdinj	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj	Trust: 0.8
title:	Cisco IOS XE Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90505	Trust: 0.6
title:	Cisco: Cisco IOS XE Software Command Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190327-iosxe-cmdinj	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/	Trust: 0.1

sources: VULMON: CVE-2019-1755 // JVNDB: JVNDB-2019-002959 // CNNVD: CNNVD-201903-1090

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1755	Trust: 2.9
db:	BID	id:	107380	Trust: 2.1
db:	JVNDB	id:	JVNDB-2019-002959	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-1090	Trust: 0.7
db:	VULHUB	id:	VHN-149807	Trust: 0.1
db:	VULMON	id:	CVE-2019-1755	Trust: 0.1

sources: VULHUB: VHN-149807 // VULMON: CVE-2019-1755 // BID: 107380 // JVNDB: JVNDB-2019-002959 // CNNVD: CNNVD-201903-1090 // NVD: CVE-2019-1755

REFERENCES

url:	http://www.securityfocus.com/bid/107380	Trust: 2.5
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190327-iosxe-cmdinj	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1755	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1755	Trust: 0.8
url:	https://vigilance.fr/vulnerability/cisco-ios-ios-xe-multiple-vulnerabilities-28888	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/	Trust: 0.1

sources: VULHUB: VHN-149807 // VULMON: CVE-2019-1755 // BID: 107380 // JVNDB: JVNDB-2019-002959 // CNNVD: CNNVD-201903-1090 // NVD: CVE-2019-1755

CREDITS

Cisco

Trust: 0.9

sources: BID: 107380 // CNNVD: CNNVD-201903-1090

SOURCES

db:	VULHUB	id:	VHN-149807
db:	VULMON	id:	CVE-2019-1755
db:	BID	id:	107380
db:	JVNDB	id:	JVNDB-2019-002959
db:	CNNVD	id:	CNNVD-201903-1090
db:	NVD	id:	CVE-2019-1755

LAST UPDATE DATE

2024-08-14T15:07:43.817000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-149807	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2019-1755	date:	2019-10-09T00:00:00
db:	BID	id:	107380	date:	2019-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2019-002959	date:	2019-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201903-1090	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2019-1755	date:	2019-10-09T23:47:59.033

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-149807	date:	2019-03-28T00:00:00
db:	VULMON	id:	CVE-2019-1755	date:	2019-03-28T00:00:00
db:	BID	id:	107380	date:	2019-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2019-002959	date:	2019-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201903-1090	date:	2019-03-27T00:00:00
db:	NVD	id:	CVE-2019-1755	date:	2019-03-28T01:29:00.330