Details of VAR-201903-0587

ID

VAR-201903-0587

CVE

CVE-2019-1588

TITLE

Cisco Nexus 9000 Series Fabric Switch Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002272

DESCRIPTION

A vulnerability in the Cisco Nexus 9000 Series Fabric Switches running in Application-Centric Infrastructure (ACI) mode could allow an authenticated, local attacker to read arbitrary files on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms of user-supplied input sent to an affected device. A successful exploit could allow the attacker unauthorized access to read arbitrary files on an affected device. This vulnerability has been fixed in version 14.0(1h). Cisco Nexus 9000 Series Fabric Switch Contains an input validation vulnerability.Information may be obtained. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvm52064

Trust: 2.52

sources: NVD: CVE-2019-1588 // JVNDB: JVNDB-2019-002272 // CNVD: CNVD-2019-06595 // BID: 107316 // VULHUB: VHN-147970

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-06595

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	lt	version:	14.0\(1h\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus none	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nx-os software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	nexus series fabric switches aci mode	scope:	eq	version:	9000-0	Trust: 0.3

sources: CNVD: CNVD-2019-06595 // BID: 107316 // JVNDB: JVNDB-2019-002272 // NVD: CVE-2019-1588

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1588
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1588
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1588
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-06595
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201903-166
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-147970
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-1588
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-06595
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:L/AC:H/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-147970
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-1588
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.8
impactScore:	3.6
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-1588
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.8
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2019-06595 // VULHUB: VHN-147970 // JVNDB: JVNDB-2019-002272 // CNNVD: CNNVD-201903-166 // NVD: CVE-2019-1588 // NVD: CVE-2019-1588

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.9
problemtype:	CWE-269	Trust: 1.1

sources: VULHUB: VHN-147970 // JVNDB: JVNDB-2019-002272 // NVD: CVE-2019-1588

THREAT TYPE

local

Trust: 0.9

sources: BID: 107316 // CNNVD: CNNVD-201903-166

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 107316 // CNNVD: CNNVD-201903-166

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002272

PATCH

title:	cisco-sa-20190306-aci-file-read	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-aci-file-read	Trust: 0.8
title:	CiscoNexus 9000 ACI Mode Patch for Any File Read Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/155555	Trust: 0.6
title:	Cisco Nexus 9000 Series Fabric Switches Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89841	Trust: 0.6

sources: CNVD: CNVD-2019-06595 // JVNDB: JVNDB-2019-002272 // CNNVD: CNNVD-201903-166

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1588	Trust: 3.4
db:	BID	id:	107316	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-002272	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-166	Trust: 0.7
db:	CNVD	id:	CNVD-2019-06595	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0715	Trust: 0.6
db:	VULHUB	id:	VHN-147970	Trust: 0.1

sources: CNVD: CNVD-2019-06595 // VULHUB: VHN-147970 // BID: 107316 // JVNDB: JVNDB-2019-002272 // CNNVD: CNNVD-201903-166 // NVD: CVE-2019-1588

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-aci-file-read	Trust: 2.6
url:	http://www.securityfocus.com/bid/107316	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1588	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1588	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-aci-controller-privsec	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-nx-os-nexus-multiple-vulnerabilities-28681	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/76638	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2019-06595 // VULHUB: VHN-147970 // BID: 107316 // JVNDB: JVNDB-2019-002272 // CNNVD: CNNVD-201903-166 // NVD: CVE-2019-1588

CREDITS

Nicolas Biscos and Ga?tan Ferry from Synacktiv .,Nicolas Biscos and Ga??tan Ferry from Synacktiv

Trust: 0.6

sources: CNNVD: CNNVD-201903-166

SOURCES

db:	CNVD	id:	CNVD-2019-06595
db:	VULHUB	id:	VHN-147970
db:	BID	id:	107316
db:	JVNDB	id:	JVNDB-2019-002272
db:	CNNVD	id:	CNNVD-201903-166
db:	NVD	id:	CVE-2019-1588

LAST UPDATE DATE

2024-11-23T23:04:49.569000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-06595	date:	2019-03-08T00:00:00
db:	VULHUB	id:	VHN-147970	date:	2020-10-19T00:00:00
db:	BID	id:	107316	date:	2019-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2019-002272	date:	2019-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201903-166	date:	2020-10-20T00:00:00
db:	NVD	id:	CVE-2019-1588	date:	2024-11-21T04:36:52.040

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-06595	date:	2019-03-06T00:00:00
db:	VULHUB	id:	VHN-147970	date:	2019-03-06T00:00:00
db:	BID	id:	107316	date:	2019-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2019-002272	date:	2019-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201903-166	date:	2019-03-06T00:00:00
db:	NVD	id:	CVE-2019-1588	date:	2019-03-06T21:29:00.357