Sign-up

ID

VAR-201906-0686


CVE

CVE-2019-1903


TITLE

Cisco Security Manager In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-005717

DESCRIPTION

A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to a targeted system that contain references within XML entities. An exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition. This issue is tracked by Cisco Bug ID CSCvp33120. Cisco Security Manager (CSM) is a set of enterprise-level management applications from Cisco, which is mainly used to configure firewall, VPN and intrusion prevention security services on Cisco network and security devices. A code issue vulnerability exists in Cisco CSM where the program does not properly constrain XML entities

Trust: 1.98

sources: NVD: CVE-2019-1903 // JVNDB: JVNDB-2019-005717 // BID: 108857 // VULHUB: VHN-151435

AFFECTED PRODUCTS

vendor:ciscomodel:security managerscope:eqversion:4.14

Trust: 1.0

vendor:ciscomodel:security managerscope: - version: -

Trust: 0.8

vendor:ciscomodel:security manager 4.14 sp2scope: - version: -

Trust: 0.3

vendor:ciscomodel:security managerscope:neversion:4.20(0.89)

Trust: 0.3

vendor:ciscomodel:security managerscope:neversion:4.19(0.212)

Trust: 0.3

vendor:ciscomodel:security manager 4.19 sp1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:security managerscope:neversion:4.17(0.77)

Trust: 0.3

vendor:ciscomodel:security managerscope:neversion:4.14(0.131)

Trust: 0.3

sources: BID: 108857 // JVNDB: JVNDB-2019-005717 // NVD: CVE-2019-1903

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1903
value: CRITICAL

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1903
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1903
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201906-802
value: CRITICAL

Trust: 0.6

VULHUB: VHN-151435
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1903
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-151435
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1903
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.0

Trust: 1.8

ykramarz@cisco.com: CVE-2019-1903
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-151435 // JVNDB: JVNDB-2019-005717 // CNNVD: CNNVD-201906-802 // NVD: CVE-2019-1903 // NVD: CVE-2019-1903

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.9

sources: VULHUB: VHN-151435 // JVNDB: JVNDB-2019-005717 // NVD: CVE-2019-1903

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-802

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201906-802

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005717

PATCH
title:cisco-sa-20190619-csm-xmlurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-csm-xml
Trust: 0.8
title:Cisco Security Manager Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93952
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-005717 // 
            
            
            
            CNNVD: CNNVD-201906-802

EXTERNAL IDS
db:NVDid:CVE-2019-1903
Trust: 2.8
db:BIDid:108857
Trust: 2.0
db:JVNDBid:JVNDB-2019-005717
Trust: 0.8
db:CNNVDid:CNNVD-201906-802
Trust: 0.7
db:AUSCERTid:ESB-2019.2206
Trust: 0.6
db:VULHUBid:VHN-151435
Trust: 0.1
sources:
            
            
            VULHUB: VHN-151435 // 
            
            
            
            BID: 108857 // 
            
            
            
            JVNDB: JVNDB-2019-005717 // 
            
            
            
            CNNVD: CNNVD-201906-802 // 
            
            
            
            NVD: CVE-2019-1903

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-csm-xml
Trust: 2.0
url:http://www.securityfocus.com/bid/108857
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-1903
Trust: 1.4
url:http://www.cisco.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1903
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2019.2206/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-151435 // 
            
            
            
            BID: 108857 // 
            
            
            
            JVNDB: JVNDB-2019-005717 // 
            
            
            
            CNNVD: CNNVD-201906-802 // 
            
            
            
            NVD: CVE-2019-1903

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 108857

SOURCES
db:VULHUBid:VHN-151435
db:BIDid:108857
db:JVNDBid:JVNDB-2019-005717
db:CNNVDid:CNNVD-201906-802
db:NVDid:CVE-2019-1903

LAST UPDATE DATE
2024-11-23T22:55:31.834000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-151435date:2019-10-09T00:00:00
db:BIDid:108857date:2019-06-19T00:00:00
db:JVNDBid:JVNDB-2019-005717date:2019-06-27T00:00:00
db:CNNVDid:CNNVD-201906-802date:2019-06-27T00:00:00
db:NVDid:CVE-2019-1903date:2024-11-21T04:37:39.163

SOURCES RELEASE DATE
db:VULHUBid:VHN-151435date:2019-06-20T00:00:00
db:BIDid:108857date:2019-06-19T00:00:00
db:JVNDBid:JVNDB-2019-005717date:2019-06-27T00:00:00
db:CNNVDid:CNNVD-201906-802date:2019-06-19T00:00:00
db:NVDid:CVE-2019-1903date:2019-06-20T03:15:12.540