Sign-up

ID

VAR-201904-0243


CVE

CVE-2019-1720


TITLE

Cisco Expressway Series and TelePresence Video Communication Server Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003531

DESCRIPTION

A vulnerability in the XML API of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to cause the CPU to increase to 100% utilization, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to improper handling of the XML input. An attacker could exploit this vulnerability by sending a specifically crafted XML payload. A successful exploit could allow the attacker to exhaust CPU resources, resulting in a DoS condition until the system is manually rebooted. Software versions prior to X12.5.1 are affected. This issue is being tracked by Cisco Bug IDCSCvn99036. The Cisco Expressway Series is an advanced collaboration gateway for unified communications. The vulnerability is caused by the network system or product not properly validating the input data

Trust: 1.98

sources: NVD: CVE-2019-1720 // JVNDB: JVNDB-2019-003531 // BID: 108002 // VULHUB: VHN-149422

AFFECTED PRODUCTS

vendor:ciscomodel:telepresence video communication serverscope:ltversion:x12.5.1

Trust: 1.0

vendor:ciscomodel:telepresence video communication server softwarescope:ltversion:x12.5.1

Trust: 0.8

vendor:ciscomodel:telepresence video communication serverscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:expressway seriesscope:eqversion:0

Trust: 0.3

sources: BID: 108002 // JVNDB: JVNDB-2019-003531 // NVD: CVE-2019-1720

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1720
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1720
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1720
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201904-827
value: MEDIUM

Trust: 0.6

VULHUB: VHN-149422
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1720
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-149422
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1720
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.0

Trust: 1.8

ykramarz@cisco.com: CVE-2019-1720
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.3
impactScore: 4.0
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-149422 // JVNDB: JVNDB-2019-003531 // CNNVD: CNNVD-201904-827 // NVD: CVE-2019-1720 // NVD: CVE-2019-1720

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-149422 // JVNDB: JVNDB-2019-003531 // NVD: CVE-2019-1720

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-827

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 108002 // CNNVD: CNNVD-201904-827

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003531

PATCH
title:cisco-sa-20190417-ces-tvcs-dosurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-ces-tvcs-dos
Trust: 0.8
title:Cisco Expressway Series  and Cisco TelePresence Video Communication Server Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91662
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-003531 // 
            
            
            
            CNNVD: CNNVD-201904-827

EXTERNAL IDS
db:NVDid:CVE-2019-1720
Trust: 2.8
db:BIDid:108002
Trust: 2.0
db:JVNDBid:JVNDB-2019-003531
Trust: 0.8
db:CNNVDid:CNNVD-201904-827
Trust: 0.7
db:AUSCERTid:ESB-2019.1330.2
Trust: 0.6
db:VULHUBid:VHN-149422
Trust: 0.1
sources:
            
            
            VULHUB: VHN-149422 // 
            
            
            
            BID: 108002 // 
            
            
            
            JVNDB: JVNDB-2019-003531 // 
            
            
            
            CNNVD: CNNVD-201904-827 // 
            
            
            
            NVD: CVE-2019-1720

REFERENCES
url:http://www.securityfocus.com/bid/108002
Trust: 2.3
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190417-ces-tvcs-dos
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1720
Trust: 1.4
url:http://www.cisco.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1720
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190417-ex-vcs-xsrf
Trust: 0.6
url:https://www.auscert.org.au/bulletins/79282
Trust: 0.6
sources:
            
            
            VULHUB: VHN-149422 // 
            
            
            
            BID: 108002 // 
            
            
            
            JVNDB: JVNDB-2019-003531 // 
            
            
            
            CNNVD: CNNVD-201904-827 // 
            
            
            
            NVD: CVE-2019-1720

CREDITS
Cisco
Trust: 0.9
sources:
            
            
            BID: 108002 // 
            
            
            
            CNNVD: CNNVD-201904-827

SOURCES
db:VULHUBid:VHN-149422
db:BIDid:108002
db:JVNDBid:JVNDB-2019-003531
db:CNNVDid:CNNVD-201904-827
db:NVDid:CVE-2019-1720

LAST UPDATE DATE
2024-11-23T21:52:21.997000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-149422date:2019-10-09T00:00:00
db:BIDid:108002date:2019-04-17T00:00:00
db:JVNDBid:JVNDB-2019-003531date:2019-05-20T00:00:00
db:CNNVDid:CNNVD-201904-827date:2019-04-22T00:00:00
db:NVDid:CVE-2019-1720date:2024-11-21T04:37:10.500

SOURCES RELEASE DATE
db:VULHUBid:VHN-149422date:2019-04-18T00:00:00
db:BIDid:108002date:2019-04-17T00:00:00
db:JVNDBid:JVNDB-2019-003531date:2019-05-20T00:00:00
db:CNNVDid:CNNVD-201904-827date:2019-04-17T00:00:00
db:NVDid:CVE-2019-1720date:2019-04-18T01:29:01.827