Sign-up

ID

VAR-201907-0232


CVE

CVE-2019-1893


TITLE

Cisco Enterprise NFV Infrastructure Software Command injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-006255 // CNNVD: CNNVD-201907-232

DESCRIPTION

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root. The vulnerability is due to insufficient input validation of a configuration file that is accessible to a local shell user. An attacker could exploit this vulnerability by including malicious input during the execution of this file. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS as root. This issue is being tracked by Cisco Bug ID CSCvn12421. The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller

Trust: 1.98

sources: NVD: CVE-2019-1893 // JVNDB: JVNDB-2019-006255 // BID: 109036 // VULHUB: VHN-151325

AFFECTED PRODUCTS

vendor:ciscomodel:enterprise nfv infrastructure softwarescope:eqversion:3.9.1

Trust: 1.3

vendor:ciscomodel:enterprise nfv infrastructure softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:enterprise nfv infrastructure softwarescope:eqversion:3.9.2

Trust: 0.3

vendor:ciscomodel:enterprise nfv infrastructure softwarescope:eqversion:3.8.1

Trust: 0.3

vendor:ciscomodel:enterprise nfv infrastructure softwarescope:eqversion:3.7.1

Trust: 0.3

vendor:ciscomodel:enterprise nfv infrastructure softwarescope:eqversion:3.6.3

Trust: 0.3

vendor:ciscomodel:enterprise nfv infrastructure softwarescope:neversion:3.10.1

Trust: 0.3

sources: BID: 109036 // JVNDB: JVNDB-2019-006255 // NVD: CVE-2019-1893

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1893
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1893
value: HIGH

Trust: 1.0

NVD: CVE-2019-1893
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201907-232
value: HIGH

Trust: 0.6

VULHUB: VHN-151325
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1893
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-151325
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1893
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1893
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-151325 // JVNDB: JVNDB-2019-006255 // CNNVD: CNNVD-201907-232 // NVD: CVE-2019-1893 // NVD: CVE-2019-1893

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.9

problemtype:CWE-78

Trust: 1.1

sources: VULHUB: VHN-151325 // JVNDB: JVNDB-2019-006255 // NVD: CVE-2019-1893

THREAT TYPE

local

Trust: 0.9

sources: BID: 109036 // CNNVD: CNNVD-201907-232

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201907-232

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006255

PATCH
title:cisco-sa-20190703-nfvis-commandinjurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-nfvis-commandinj
Trust: 0.8
title:Cisco Enterprise NFV Infrastructure Software Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94421
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-006255 // 
            
            
            
            CNNVD: CNNVD-201907-232

EXTERNAL IDS
db:NVDid:CVE-2019-1893
Trust: 2.8
db:BIDid:109036
Trust: 1.0
db:JVNDBid:JVNDB-2019-006255
Trust: 0.8
db:CNNVDid:CNNVD-201907-232
Trust: 0.7
db:AUSCERTid:ESB-2019.2438
Trust: 0.6
db:VULHUBid:VHN-151325
Trust: 0.1
sources:
            
            
            VULHUB: VHN-151325 // 
            
            
            
            BID: 109036 // 
            
            
            
            JVNDB: JVNDB-2019-006255 // 
            
            
            
            CNNVD: CNNVD-201907-232 // 
            
            
            
            NVD: CVE-2019-1893

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190703-nfvis-commandinj
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1893
Trust: 1.4
url:http://www.cisco.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1893
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190703-nfvis-file-readwrite
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.2438/
Trust: 0.6
url:https://www.securityfocus.com/bid/109036
Trust: 0.6
sources:
            
            
            VULHUB: VHN-151325 // 
            
            
            
            BID: 109036 // 
            
            
            
            JVNDB: JVNDB-2019-006255 // 
            
            
            
            CNNVD: CNNVD-201907-232 // 
            
            
            
            NVD: CVE-2019-1893

CREDITS
Cisco.
Trust: 0.9
sources:
            
            
            BID: 109036 // 
            
            
            
            CNNVD: CNNVD-201907-232

SOURCES
db:VULHUBid:VHN-151325
db:BIDid:109036
db:JVNDBid:JVNDB-2019-006255
db:CNNVDid:CNNVD-201907-232
db:NVDid:CVE-2019-1893

LAST UPDATE DATE
2024-11-23T22:11:58.322000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-151325date:2020-10-16T00:00:00
db:BIDid:109036date:2019-07-03T00:00:00
db:JVNDBid:JVNDB-2019-006255date:2019-07-17T00:00:00
db:CNNVDid:CNNVD-201907-232date:2020-10-21T00:00:00
db:NVDid:CVE-2019-1893date:2024-11-21T04:37:37.933

SOURCES RELEASE DATE
db:VULHUBid:VHN-151325date:2019-07-06T00:00:00
db:BIDid:109036date:2019-07-03T00:00:00
db:JVNDBid:JVNDB-2019-006255date:2019-07-17T00:00:00
db:CNNVDid:CNNVD-201907-232date:2019-07-03T00:00:00
db:NVDid:CVE-2019-1893date:2019-07-06T02:15:11.370