Sign-up

ID

VAR-201903-0577


CVE

CVE-2019-1690


TITLE

Cisco Application Policy Infrastructure Controller Software access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002452

DESCRIPTION

A vulnerability in the management interface of Cisco Application Policy Infrastructure Controller (APIC) software could allow an unauthenticated, adjacent attacker to gain unauthorized access on an affected device. The vulnerability is due to a lack of proper access control mechanisms for IPv6 link-local connectivity imposed on the management interface of an affected device. An attacker on the same physical network could exploit this vulnerability by attempting to connect to the IPv6 link-local address on the affected device. A successful exploit could allow the attacker to bypass default access control restrictions on an affected device. Cisco Application Policy Infrastructure Controller (APIC) devices running versions prior to 4.2(0.21c) are affected. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvn09855

Trust: 1.98

sources: NVD: CVE-2019-1690 // JVNDB: JVNDB-2019-002452 // BID: 107317 // VULHUB: VHN-149092

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controllerscope:ltversion:4.2\(0.21c\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controllerscope:ltversion:4.2(0.21c)

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:0

Trust: 0.3

sources: BID: 107317 // JVNDB: JVNDB-2019-002452 // NVD: CVE-2019-1690

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1690
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1690
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1690
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201903-203
value: MEDIUM

Trust: 0.6

VULHUB: VHN-149092
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-1690
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-149092
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1690
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1690
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.0

NVD: CVE-2019-1690
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-149092 // JVNDB: JVNDB-2019-002452 // CNNVD: CNNVD-201903-203 // NVD: CVE-2019-1690 // NVD: CVE-2019-1690

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.9

problemtype:NVD-CWE-Other

Trust: 1.0

sources: VULHUB: VHN-149092 // JVNDB: JVNDB-2019-002452 // NVD: CVE-2019-1690

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201903-203

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201903-203

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-002452

PATCH
title:cisco-sa-20190306-apic-ipv6url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-apic-ipv6
Trust: 0.8
title:Cisco Application Policy Infrastructure Controller Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89873
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-002452 // 
            
            
            
            CNNVD: CNNVD-201903-203

EXTERNAL IDS
db:NVDid:CVE-2019-1690
Trust: 2.8
db:BIDid:107317
Trust: 2.0
db:JVNDBid:JVNDB-2019-002452
Trust: 0.8
db:CNNVDid:CNNVD-201903-203
Trust: 0.7
db:AUSCERTid:ESB-2019.0713.2
Trust: 0.6
db:VULHUBid:VHN-149092
Trust: 0.1
sources:
            
            
            VULHUB: VHN-149092 // 
            
            
            
            BID: 107317 // 
            
            
            
            JVNDB: JVNDB-2019-002452 // 
            
            
            
            CNNVD: CNNVD-201903-203 // 
            
            
            
            NVD: CVE-2019-1690

REFERENCES
url:http://www.securityfocus.com/bid/107317
Trust: 2.3
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-apic-ipv6
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1690
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1690
Trust: 0.8
url:https://www.auscert.org.au/bulletins/76630
Trust: 0.6
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-149092 // 
            
            
            
            BID: 107317 // 
            
            
            
            JVNDB: JVNDB-2019-002452 // 
            
            
            
            CNNVD: CNNVD-201903-203 // 
            
            
            
            NVD: CVE-2019-1690

CREDITS
Costin Enache with DETACK GmbH .
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201903-203

SOURCES
db:VULHUBid:VHN-149092
db:BIDid:107317
db:JVNDBid:JVNDB-2019-002452
db:CNNVDid:CNNVD-201903-203
db:NVDid:CVE-2019-1690

LAST UPDATE DATE
2024-08-14T14:32:45.723000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-149092date:2020-10-16T00:00:00
db:BIDid:107317date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002452date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-203date:2020-10-21T00:00:00
db:NVDid:CVE-2019-1690date:2020-10-16T13:04:35.550

SOURCES RELEASE DATE
db:VULHUBid:VHN-149092date:2019-03-11T00:00:00
db:BIDid:107317date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002452date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-203date:2019-03-06T00:00:00
db:NVDid:CVE-2019-1690date:2019-03-11T21:29:01.090