Sign-up

ID

VAR-201907-0235


CVE

CVE-2019-1889


TITLE

Cisco Application Policy Infrastructure Controller Vulnerability in authorization, authority and access control in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-006271

DESCRIPTION

A vulnerability in the REST API for software device management in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an authenticated, remote attacker to escalate privileges to root on an affected device. The vulnerability is due to incomplete validation and error checking for the file path when specific software is uploaded. An attacker could exploit this vulnerability by uploading malicious software using the REST API. A successful exploit could allow an attacker to escalate their privilege level to root. The attacker would need to have the administrator role on the device. This issue is being tracked by Cisco Bug ID CSCvp64857. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products

Trust: 1.98

sources: NVD: CVE-2019-1889 // JVNDB: JVNDB-2019-006271 // BID: 109035 // VULHUB: VHN-151281

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:4.1\(1j\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controller softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controller 3.2scope: - version: -

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controller 4.1scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 4.0scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.3scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:2.2(1)

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.1scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.0scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:2.0(0.400)

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 1.3scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 4.1scope:neversion: -

Trust: 0.3

sources: BID: 109035 // JVNDB: JVNDB-2019-006271 // NVD: CVE-2019-1889

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1889
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1889
value: HIGH

Trust: 1.0

NVD: CVE-2019-1889
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201907-228
value: HIGH

Trust: 0.6

VULHUB: VHN-151281
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1889
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-151281
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1889
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1889
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-151281 // JVNDB: JVNDB-2019-006271 // CNNVD: CNNVD-201907-228 // NVD: CVE-2019-1889 // NVD: CVE-2019-1889

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:CWE-20

Trust: 1.1

sources: VULHUB: VHN-151281 // JVNDB: JVNDB-2019-006271 // NVD: CVE-2019-1889

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-228

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 109035 // CNNVD: CNNVD-201907-228

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006271

PATCH
title:cisco-sa-20190703-ccapic-restapiurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-ccapic-restapi
Trust: 0.8
title:Cisco Application Policy Infrastructure Controller Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94417
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-006271 // 
            
            
            
            CNNVD: CNNVD-201907-228

EXTERNAL IDS
db:NVDid:CVE-2019-1889
Trust: 2.8
db:BIDid:109035
Trust: 1.0
db:JVNDBid:JVNDB-2019-006271
Trust: 0.8
db:CNNVDid:CNNVD-201907-228
Trust: 0.7
db:AUSCERTid:ESB-2019.2451
Trust: 0.6
db:VULHUBid:VHN-151281
Trust: 0.1
sources:
            
            
            VULHUB: VHN-151281 // 
            
            
            
            BID: 109035 // 
            
            
            
            JVNDB: JVNDB-2019-006271 // 
            
            
            
            CNNVD: CNNVD-201907-228 // 
            
            
            
            NVD: CVE-2019-1889

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190703-ccapic-restapi
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1889
Trust: 1.4
url:http://www.cisco.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1889
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2019.2451/
Trust: 0.6
url:https://www.securityfocus.com/bid/109035
Trust: 0.6
sources:
            
            
            VULHUB: VHN-151281 // 
            
            
            
            BID: 109035 // 
            
            
            
            JVNDB: JVNDB-2019-006271 // 
            
            
            
            CNNVD: CNNVD-201907-228 // 
            
            
            
            NVD: CVE-2019-1889

CREDITS
Frank Block from ERNW Research GmbH .,Frank Block from ERNW Research GmbH.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201907-228

SOURCES
db:VULHUBid:VHN-151281
db:BIDid:109035
db:JVNDBid:JVNDB-2019-006271
db:CNNVDid:CNNVD-201907-228
db:NVDid:CVE-2019-1889

LAST UPDATE DATE
2024-08-14T14:51:07.995000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-151281date:2020-10-16T00:00:00
db:BIDid:109035date:2019-07-03T00:00:00
db:JVNDBid:JVNDB-2019-006271date:2019-07-17T00:00:00
db:CNNVDid:CNNVD-201907-228date:2020-10-28T00:00:00
db:NVDid:CVE-2019-1889date:2020-10-16T15:08:56.237

SOURCES RELEASE DATE
db:VULHUBid:VHN-151281date:2019-07-04T00:00:00
db:BIDid:109035date:2019-07-03T00:00:00
db:JVNDBid:JVNDB-2019-006271date:2019-07-17T00:00:00
db:CNNVDid:CNNVD-201907-228date:2019-07-03T00:00:00
db:NVDid:CVE-2019-1889date:2019-07-04T20:15:11.063