Sign-up

ID

VAR-201905-0516


CVE

CVE-2019-1819


TITLE

Cisco Prime Infrastructure and Evolved Programmable Network Manager Path traversal vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-004649

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager software could allow an authenticated, remote attacker to download and view files within the application that should be restricted. This vulnerability is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. A successful exploit could allow the attacker to view application files that may contain sensitive information. This issue is being tracked by Cisco Bug ID CSCvo28677 and CSCvo62260. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths

Trust: 1.98

sources: NVD: CVE-2019-1819 // JVNDB: JVNDB-2019-004649 // BID: 108351 // VULHUB: VHN-150511

AFFECTED PRODUCTS

vendor:ciscomodel:evolved programmable network managerscope:ltversion:3.0.1

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:ltversion:3.4

Trust: 1.0

vendor:ciscomodel:evolved programmable network managerscope: - version: -

Trust: 0.8

vendor:ciscomodel:prime infrastructurescope: - version: -

Trust: 0.8

vendor:ciscomodel:prime infrastructurescope:eqversion:3.3

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:3.2

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:3.1

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:3.0

Trust: 0.3

vendor:ciscomodel:evolved programmable network managerscope:eqversion:3.0

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:neversion:3.6

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:neversion:3.5

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:neversion:3.4

Trust: 0.3

vendor:ciscomodel:evolved programmable network managerscope:neversion:3.0.1

Trust: 0.3

sources: BID: 108351 // JVNDB: JVNDB-2019-004649 // NVD: CVE-2019-1819

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1819
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1819
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1819
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201905-696
value: MEDIUM

Trust: 0.6

VULHUB: VHN-150511
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1819
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-150511
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1819
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1819
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-150511 // JVNDB: JVNDB-2019-004649 // CNNVD: CNNVD-201905-696 // NVD: CVE-2019-1819 // NVD: CVE-2019-1819

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

sources: VULHUB: VHN-150511 // JVNDB: JVNDB-2019-004649 // NVD: CVE-2019-1819

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-696

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201905-696

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-004649

PATCH
title:cisco-sa-20190515-pi-pathtrav-1819url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-pathtrav-1819
Trust: 0.8
title:Cisco Prime Infrastructure  and Cisco Evolved Programmable Network Manager software Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92820
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-004649 // 
            
            
            
            CNNVD: CNNVD-201905-696

EXTERNAL IDS
db:NVDid:CVE-2019-1819
Trust: 2.8
db:BIDid:108351
Trust: 2.0
db:JVNDBid:JVNDB-2019-004649
Trust: 0.8
db:CNNVDid:CNNVD-201905-696
Trust: 0.7
db:AUSCERTid:ESB-2019.1753
Trust: 0.6
db:VULHUBid:VHN-150511
Trust: 0.1
sources:
            
            
            VULHUB: VHN-150511 // 
            
            
            
            BID: 108351 // 
            
            
            
            JVNDB: JVNDB-2019-004649 // 
            
            
            
            CNNVD: CNNVD-201905-696 // 
            
            
            
            NVD: CVE-2019-1819

REFERENCES
url:http://www.securityfocus.com/bid/108351
Trust: 2.3
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190515-pi-pathtrav-1819
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1819
Trust: 1.4
url:http://www.cisco.com
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1819
Trust: 0.8
url:https://vigilance.fr/vulnerability/cisco-prime-infrastructure-multiple-vulnerabilities-via-the-web-console-web-29342
Trust: 0.6
url:https://www.auscert.org.au/bulletins/81094
Trust: 0.6
sources:
            
            
            VULHUB: VHN-150511 // 
            
            
            
            BID: 108351 // 
            
            
            
            JVNDB: JVNDB-2019-004649 // 
            
            
            
            CNNVD: CNNVD-201905-696 // 
            
            
            
            NVD: CVE-2019-1819

CREDITS
Steven Seeley (mr_me) of Source Incite.
Trust: 0.9
sources:
            
            
            BID: 108351 // 
            
            
            
            CNNVD: CNNVD-201905-696

SOURCES
db:VULHUBid:VHN-150511
db:BIDid:108351
db:JVNDBid:JVNDB-2019-004649
db:CNNVDid:CNNVD-201905-696
db:NVDid:CVE-2019-1819

LAST UPDATE DATE
2024-11-23T21:59:57.476000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-150511date:2019-10-09T00:00:00
db:BIDid:108351date:2019-05-15T00:00:00
db:JVNDBid:JVNDB-2019-004649date:2019-06-05T00:00:00
db:CNNVDid:CNNVD-201905-696date:2019-05-21T00:00:00
db:NVDid:CVE-2019-1819date:2024-11-21T04:37:27.780

SOURCES RELEASE DATE
db:VULHUBid:VHN-150511date:2019-05-16T00:00:00
db:BIDid:108351date:2019-05-15T00:00:00
db:JVNDBid:JVNDB-2019-004649date:2019-06-05T00:00:00
db:CNNVDid:CNNVD-201905-696date:2019-05-15T00:00:00
db:NVDid:CVE-2019-1819date:2019-05-16T01:29:00.360