ID

VAR-201907-0393


CVE

CVE-2019-1942


TITLE

Cisco Identity Services Engine In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-006926

DESCRIPTION

A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data. At the time of publication, this vulnerability affected Cisco ISE running software releases 2.6.0 and prior. This issue is being tracked by Cisco Bug ID CSCvp29278. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.98

sources: NVD: CVE-2019-1942 // JVNDB: JVNDB-2019-006926 // BID: 109283 // VULHUB: VHN-151864

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:lteversion:2.6.0

Trust: 1.8

vendor:ciscomodel:identity services enginescope:eqversion:2.6

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.4(0.902)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.3(0.904)

Trust: 0.3

sources: BID: 109283 // JVNDB: JVNDB-2019-006926 // NVD: CVE-2019-1942

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1942
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1942
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1942
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201907-1008
value: MEDIUM

Trust: 0.6

VULHUB: VHN-151864
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1942
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-151864
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1942
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

ykramarz@cisco.com: CVE-2019-1942
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-151864 // JVNDB: JVNDB-2019-006926 // CNNVD: CNNVD-201907-1008 // NVD: CVE-2019-1942 // NVD: CVE-2019-1942

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-151864 // JVNDB: JVNDB-2019-006926 // NVD: CVE-2019-1942

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-1008

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201907-1008

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006926

PATCH

title:cisco-sa-20190717-ise-sql-injecturl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-ise-sql-inject

Trust: 0.8

title:Cisco Identity Services Engine SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95040

Trust: 0.6

sources: JVNDB: JVNDB-2019-006926 // CNNVD: CNNVD-201907-1008

EXTERNAL IDS

db:NVDid:CVE-2019-1942

Trust: 2.8

db:BIDid:109283

Trust: 2.0

db:JVNDBid:JVNDB-2019-006926

Trust: 0.8

db:CNNVDid:CNNVD-201907-1008

Trust: 0.7

db:AUSCERTid:ESB-2019.2677

Trust: 0.6

db:VULHUBid:VHN-151864

Trust: 0.1

sources: VULHUB: VHN-151864 // BID: 109283 // JVNDB: JVNDB-2019-006926 // CNNVD: CNNVD-201907-1008 // NVD: CVE-2019-1942

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190717-ise-sql-inject

Trust: 2.0

url:http://www.securityfocus.com/bid/109283

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-1942

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1942

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.2677/

Trust: 0.6

sources: VULHUB: VHN-151864 // BID: 109283 // JVNDB: JVNDB-2019-006926 // CNNVD: CNNVD-201907-1008 // NVD: CVE-2019-1942

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 109283

SOURCES

db:VULHUBid:VHN-151864
db:BIDid:109283
db:JVNDBid:JVNDB-2019-006926
db:CNNVDid:CNNVD-201907-1008
db:NVDid:CVE-2019-1942

LAST UPDATE DATE

2024-08-14T15:33:56.635000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-151864date:2019-10-09T00:00:00
db:BIDid:109283date:2019-07-17T00:00:00
db:JVNDBid:JVNDB-2019-006926date:2019-07-30T00:00:00
db:CNNVDid:CNNVD-201907-1008date:2019-07-29T00:00:00
db:NVDid:CVE-2019-1942date:2019-10-09T23:48:37.287

SOURCES RELEASE DATE

db:VULHUBid:VHN-151864date:2019-07-17T00:00:00
db:BIDid:109283date:2019-07-17T00:00:00
db:JVNDBid:JVNDB-2019-006926date:2019-07-30T00:00:00
db:CNNVDid:CNNVD-201907-1008date:2019-07-17T00:00:00
db:NVDid:CVE-2019-1942date:2019-07-17T21:15:12.390