Details of VAR-201905-0528

ID

VAR-201905-0528

CVE

CVE-2019-1824

TITLE

Cisco Prime Infrastructure and Evolved Programmable Network Manager In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-004654

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries. This vulnerability exist because the software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains malicious SQL statements to the affected application. A successful exploit could allow the attacker to view or modify entries in some database tables, affecting the integrity of the data. This issue is tracked by Cisco Bug ID's CSCvo23576, CSCvo28734, CSCvo62268 and CSCvo62275. Attackers can exploit this vulnerability to execute illegal SQL commands

Trust: 2.07

sources: NVD: CVE-2019-1824 // JVNDB: JVNDB-2019-004654 // BID: 108337 // VULHUB: VHN-150566 // VULMON: CVE-2019-1824

AFFECTED PRODUCTS

vendor:	cisco	model:	evolved programmable network manager	scope:	lt	version:	3.0.1	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	lt	version:	3.4.1	Trust: 1.0
vendor:	cisco	model:	evolved programmable network manager	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	prime infrastructure	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	3.4	Trust: 0.3
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	3.0	Trust: 0.3
vendor:	cisco	model:	prime infrastructure	scope:	ne	version:	3.4.1	Trust: 0.3
vendor:	cisco	model:	prime infrastructure	scope:	ne	version:	3.6	Trust: 0.3
vendor:	cisco	model:	prime infrastructure	scope:	ne	version:	3.5	Trust: 0.3
vendor:	cisco	model:	evolved programmable network manager	scope:	ne	version:	3.0.1	Trust: 0.3

sources: BID: 108337 // JVNDB: JVNDB-2019-004654 // NVD: CVE-2019-1824

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1824
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1824
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-1824
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201905-697
value:	HIGH
Trust: 0.6
VULHUB:	VHN-150566
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-1824
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-1824
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-150566
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1824
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.0
Trust: 2.8

sources: VULHUB: VHN-150566 // VULMON: CVE-2019-1824 // JVNDB: JVNDB-2019-004654 // CNNVD: CNNVD-201905-697 // NVD: CVE-2019-1824 // NVD: CVE-2019-1824

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-150566 // JVNDB: JVNDB-2019-004654 // NVD: CVE-2019-1824

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-697

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201905-697

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-004654

PATCH

title:	cisco-sa-20190515-pi-sqlinject	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-sqlinject	Trust: 0.8
title:	Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92821	Trust: 0.6
title:	Cisco: Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL Injection Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190515-pi-sqlinject	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/cisco-webex-remote-code-execution/144805/	Trust: 0.1

sources: VULMON: CVE-2019-1824 // JVNDB: JVNDB-2019-004654 // CNNVD: CNNVD-201905-697

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1824	Trust: 2.9
db:	BID	id:	108337	Trust: 2.1
db:	JVNDB	id:	JVNDB-2019-004654	Trust: 0.8
db:	CNNVD	id:	CNNVD-201905-697	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.1753	Trust: 0.6
db:	VULHUB	id:	VHN-150566	Trust: 0.1
db:	VULMON	id:	CVE-2019-1824	Trust: 0.1

sources: VULHUB: VHN-150566 // VULMON: CVE-2019-1824 // BID: 108337 // JVNDB: JVNDB-2019-004654 // CNNVD: CNNVD-201905-697 // NVD: CVE-2019-1824

REFERENCES

url:	http://www.securityfocus.com/bid/108337	Trust: 2.5
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190515-pi-sqlinject	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1824	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1824	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190515-pi-pathtrav-1819	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-prime-infrastructure-sql-injection-via-web-ui-29318	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/81094	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-webex-remote-code-execution/144805/	Trust: 0.1

sources: VULHUB: VHN-150566 // VULMON: CVE-2019-1824 // BID: 108337 // JVNDB: JVNDB-2019-004654 // CNNVD: CNNVD-201905-697 // NVD: CVE-2019-1824

CREDITS

Steven Seeley (mr_me) of Source Incite.

Trust: 0.9

sources: BID: 108337 // CNNVD: CNNVD-201905-697

SOURCES

db:	VULHUB	id:	VHN-150566
db:	VULMON	id:	CVE-2019-1824
db:	BID	id:	108337
db:	JVNDB	id:	JVNDB-2019-004654
db:	CNNVD	id:	CNNVD-201905-697
db:	NVD	id:	CVE-2019-1824

LAST UPDATE DATE

2024-11-23T21:59:57.409000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-150566	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2019-1824	date:	2019-10-09T00:00:00
db:	BID	id:	108337	date:	2019-05-15T00:00:00
db:	JVNDB	id:	JVNDB-2019-004654	date:	2019-06-05T00:00:00
db:	CNNVD	id:	CNNVD-201905-697	date:	2019-05-21T00:00:00
db:	NVD	id:	CVE-2019-1824	date:	2024-11-21T04:37:28.487

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-150566	date:	2019-05-16T00:00:00
db:	VULMON	id:	CVE-2019-1824	date:	2019-05-16T00:00:00
db:	BID	id:	108337	date:	2019-05-15T00:00:00
db:	JVNDB	id:	JVNDB-2019-004654	date:	2019-06-05T00:00:00
db:	CNNVD	id:	CNNVD-201905-697	date:	2019-05-15T00:00:00
db:	NVD	id:	CVE-2019-1824	date:	2019-05-16T01:29:00.670