Details of VAR-201907-0396

ID

VAR-201907-0396

CVE

CVE-2019-1933

TITLE

Cisco Email Security Appliance AsyncOS Software Input Validation Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-21305 // CNNVD: CNNVD-201907-222

DESCRIPTION

A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper input validation of certain email fields. An attacker could exploit this vulnerability by sending a crafted email message to a recipient protected by the ESA. A successful exploit could allow the attacker to bypass configured message filters and inject arbitrary scripting code inside the email body. The malicious code is not executed by default unless the recipient's email client is configured to execute scripts contained in emails. AsyncOSSoftware is a set of operating systems running on it. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvo55451

Trust: 2.52

sources: NVD: CVE-2019-1933 // JVNDB: JVNDB-2019-006239 // CNVD: CNVD-2019-21305 // BID: 109031 // VULHUB: VHN-151765

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-21305

AFFECTED PRODUCTS

vendor:	cisco	model:	email security appliance	scope:	eq	version:	11.1.2-023	Trust: 1.3
vendor:	cisco	model:	e email security the appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	email security appliance	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	asyncos software	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2019-21305 // BID: 109031 // JVNDB: JVNDB-2019-006239 // NVD: CVE-2019-1933

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1933
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1933
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1933
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-21305
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201907-222
value:	HIGH
Trust: 0.6
VULHUB:	VHN-151765
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-1933
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-21305
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-151765
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1933
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.0
version:	3.0
Trust: 1.8
ykramarz@cisco.com:	CVE-2019-1933
baseSeverity:	MEDIUM
baseScore:	5.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.0

sources: CNVD: CNVD-2019-21305 // VULHUB: VHN-151765 // JVNDB: JVNDB-2019-006239 // CNNVD: CNNVD-201907-222 // NVD: CVE-2019-1933 // NVD: CVE-2019-1933

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-151765 // JVNDB: JVNDB-2019-006239 // NVD: CVE-2019-1933

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-222

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 109031 // CNNVD: CNNVD-201907-222

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006239

PATCH

title:

cisco-sa-20190703-esa-filterpass

url:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-esa-filterpass

Trust: 0.8

sources: JVNDB: JVNDB-2019-006239

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1933	Trust: 3.4
db:	BID	id:	109031	Trust: 1.0
db:	JVNDB	id:	JVNDB-2019-006239	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-222	Trust: 0.7
db:	CNVD	id:	CNVD-2019-21305	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2442	Trust: 0.6
db:	VULHUB	id:	VHN-151765	Trust: 0.1

sources: CNVD: CNVD-2019-21305 // VULHUB: VHN-151765 // BID: 109031 // JVNDB: JVNDB-2019-006239 // CNNVD: CNNVD-201907-222 // NVD: CVE-2019-1933

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190703-esa-filterpass	Trust: 2.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1933	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1933	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190703-esa-bypass	Trust: 0.6
url:	https://www.securityfocus.com/bid/109031	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-email-security-appliance-privilege-escalation-via-script-filter-bypass-29688	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2442/	Trust: 0.6

sources: CNVD: CNVD-2019-21305 // VULHUB: VHN-151765 // BID: 109031 // JVNDB: JVNDB-2019-006239 // CNNVD: CNNVD-201907-222 // NVD: CVE-2019-1933

CREDITS

Cisco

Trust: 0.9

sources: BID: 109031 // CNNVD: CNNVD-201907-222

SOURCES

db:	CNVD	id:	CNVD-2019-21305
db:	VULHUB	id:	VHN-151765
db:	BID	id:	109031
db:	JVNDB	id:	JVNDB-2019-006239
db:	CNNVD	id:	CNNVD-201907-222
db:	NVD	id:	CVE-2019-1933

LAST UPDATE DATE

2024-11-23T21:52:08.250000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-21305	date:	2019-07-05T00:00:00
db:	VULHUB	id:	VHN-151765	date:	2019-10-09T00:00:00
db:	BID	id:	109031	date:	2019-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2019-006239	date:	2019-07-17T00:00:00
db:	CNNVD	id:	CNNVD-201907-222	date:	2019-07-16T00:00:00
db:	NVD	id:	CVE-2019-1933	date:	2024-11-21T04:37:42.943

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-21305	date:	2019-07-05T00:00:00
db:	VULHUB	id:	VHN-151765	date:	2019-07-06T00:00:00
db:	BID	id:	109031	date:	2019-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2019-006239	date:	2019-07-17T00:00:00
db:	CNNVD	id:	CNNVD-201907-222	date:	2019-07-03T00:00:00
db:	NVD	id:	CVE-2019-1933	date:	2019-07-06T02:15:12.183