Sign-up

ID

VAR-201903-0575


CVE

CVE-2019-1763


TITLE

plural Cisco IP Phone 8800 Vulnerability related to access control in series products

Trust: 0.8

sources: JVNDB: JVNDB-2019-003058

DESCRIPTION

A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to critical services and cause a DoS condition. This vulnerability affects Cisco IP Phone 8800 Series products running a SIP Software release prior to 11.0(5) for Wireless IP Phone 8821 and 8821-EX; and 12.5(1)SR1 for the IP Conference Phone 8832 and the rest of the IP Phone 8800 Series. Cisco IP Conference Phone 8831 is not affected. This may lead to further attacks. This issue is being tracked by Cisco bug ID CSCvn56175 and CSCvo58414

Trust: 1.89

sources: NVD: CVE-2019-1763 // JVNDB: JVNDB-2019-003058 // BID: 107499

AFFECTED PRODUCTS

vendor:ciscomodel:ip phone 8821scope:ltversion:11.0\(5\)

Trust: 1.0

vendor:ciscomodel:ip conference phone 8832scope:ltversion:12.5\(1\)sr1

Trust: 1.0

vendor:ciscomodel:ip phone 8821-exscope:ltversion:11.0\(5\)

Trust: 1.0

vendor:ciscomodel:ip phone 8800scope:ltversion:12.5\(1\)sr1

Trust: 1.0

vendor:ciscomodel:ip conference phone 8832scope:ltversion:12.5(1)sr1

Trust: 0.8

vendor:ciscomodel:ip phone 8800 seriesscope:ltversion:12.5(1)sr1

Trust: 0.8

vendor:ciscomodel:ip phone 8821scope:ltversion:11.0(5)

Trust: 0.8

vendor:ciscomodel:ip phone 8821-exscope:ltversion:11.0(5)

Trust: 0.8

vendor:ciscomodel:wireless ip phone 8821-ex 11.0 sr3scope: - version: -

Trust: 0.3

vendor:ciscomodel:wireless ip phone 8821-ex 11.0 sr2scope: - version: -

Trust: 0.3

vendor:ciscomodel:wireless ip phone 8821-ex 11.0 sr1scope: - version: -

Trust: 0.3

vendor:ciscomodel:wireless ip phone 11.0 sr3scope:eqversion:8821

Trust: 0.3

vendor:ciscomodel:wireless ip phone 11.0 sr2scope:eqversion:8821

Trust: 0.3

vendor:ciscomodel:wireless ip phone 11.0 sr1scope:eqversion:8821

Trust: 0.3

vendor:ciscomodel:ip phone seriesscope:eqversion:880012.5(1)

Trust: 0.3

vendor:ciscomodel:ip phone series 11.0 sr2scope:eqversion:8800

Trust: 0.3

vendor:ciscomodel:ip conference phonescope:eqversion:883212.1

Trust: 0.3

vendor:ciscomodel:wireless ip phone 8821-exscope:neversion:11.0(5)

Trust: 0.3

vendor:ciscomodel:wireless ip phonescope:neversion:882111.0(5)

Trust: 0.3

vendor:ciscomodel:unified ip conference phonescope:neversion:88310

Trust: 0.3

vendor:ciscomodel:ip phone series 12.6 mn128scope:neversion:8800

Trust: 0.3

vendor:ciscomodel:ip phone series 12.5 sr2scope:neversion:8800

Trust: 0.3

vendor:ciscomodel:ip phone series 12.5 sr1.3scope:neversion:8800

Trust: 0.3

vendor:ciscomodel:ip phone series 12.5 es2scope:neversion:8800

Trust: 0.3

vendor:ciscomodel:ip phone seriesscope:neversion:880011.0(5.12)

Trust: 0.3

vendor:ciscomodel:ip phone seriesscope:neversion:880011.0(5)

Trust: 0.3

vendor:ciscomodel:ip phone series 11.0 mn63scope:neversion:8800

Trust: 0.3

vendor:ciscomodel:ip conference phone 12.5 sr1scope:neversion:8832

Trust: 0.3

sources: BID: 107499 // JVNDB: JVNDB-2019-003058 // NVD: CVE-2019-1763

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1763
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1763
value: HIGH

Trust: 1.0

NVD: CVE-2019-1763
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201903-692
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-1763
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ykramarz@cisco.com: CVE-2019-1763
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1763
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: JVNDB: JVNDB-2019-003058 // CNNVD: CNNVD-201903-692 // NVD: CVE-2019-1763 // NVD: CVE-2019-1763

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.8

problemtype:NVD-CWE-Other

Trust: 1.0

sources: JVNDB: JVNDB-2019-003058 // NVD: CVE-2019-1763

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-692

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201903-692

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003058

PATCH
title:cisco-sa-20190320-ipaburl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipab
Trust: 0.8
title:Cisco IP Phone 8800 Series Session Initiation Protocol Fixes for software access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90245
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-003058 // 
            
            
            
            CNNVD: CNNVD-201903-692

EXTERNAL IDS
db:NVDid:CVE-2019-1763
Trust: 2.7
db:JVNDBid:JVNDB-2019-003058
Trust: 0.8
db:CNNVDid:CNNVD-201903-692
Trust: 0.6
db:BIDid:107499
Trust: 0.3
sources:
            
            
            BID: 107499 // 
            
            
            
            JVNDB: JVNDB-2019-003058 // 
            
            
            
            CNNVD: CNNVD-201903-692 // 
            
            
            
            NVD: CVE-2019-1763

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190320-ipab
Trust: 1.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1763
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-1763
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            BID: 107499 // 
            
            
            
            JVNDB: JVNDB-2019-003058 // 
            
            
            
            CNNVD: CNNVD-201903-692 // 
            
            
            
            NVD: CVE-2019-1763

CREDITS
David Gullasch of modzero AG .
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201903-692

SOURCES
db:BIDid:107499
db:JVNDBid:JVNDB-2019-003058
db:CNNVDid:CNNVD-201903-692
db:NVDid:CVE-2019-1763

LAST UPDATE DATE
2024-11-23T22:17:07.178000+00:00

SOURCES UPDATE DATE
db:BIDid:107499date:2019-03-20T00:00:00
db:JVNDBid:JVNDB-2019-003058date:2019-05-08T00:00:00
db:CNNVDid:CNNVD-201903-692date:2019-03-21T00:00:00
db:NVDid:CVE-2019-1763date:2024-11-21T04:37:19.370

SOURCES RELEASE DATE
db:BIDid:107499date:2019-03-20T00:00:00
db:JVNDBid:JVNDB-2019-003058date:2019-05-08T00:00:00
db:CNNVDid:CNNVD-201903-692date:2019-03-20T00:00:00
db:NVDid:CVE-2019-1763date:2019-03-22T20:29:00.400