Sign-up

ID

VAR-201908-0273


CVE

CVE-2019-12623


TITLE

Cisco Enterprise Network Functions Virtualization Infrastructure Software Vulnerable to file and directory information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2019-008544

DESCRIPTION

A vulnerability in the web server functionality of Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform file enumeration on an affected system. The vulnerability is due to the web server responding with different error codes for existing and non-existing files. An attacker could exploit this vulnerability by sending GET requests for different file names. A successful exploit could allow the attacker to enumerate files residing on the system

Trust: 1.71

sources: NVD: CVE-2019-12623 // JVNDB: JVNDB-2019-008544 // VULHUB: VHN-144388

AFFECTED PRODUCTS

vendor:ciscomodel:enterprise network functions virtualization infrastructurescope:ltversion:3.12.1

Trust: 1.0

vendor:ciscomodel:enterprise network functions virtualization infrastructure softwarescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-008544 // NVD: CVE-2019-12623

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12623
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12623
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-12623
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201908-1641
value: MEDIUM

Trust: 0.6

VULHUB: VHN-144388
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-12623
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144388
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12623
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-144388 // JVNDB: JVNDB-2019-008544 // CNNVD: CNNVD-201908-1641 // NVD: CVE-2019-12623 // NVD: CVE-2019-12623

PROBLEMTYPE DATA

problemtype:CWE-538

Trust: 1.9

sources: VULHUB: VHN-144388 // JVNDB: JVNDB-2019-008544 // NVD: CVE-2019-12623

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1641

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201908-1641

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008544

PATCH
title:cisco-sa-20190821-nfv-enumerationurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-nfv-enumeration
Trust: 0.8
title:Cisco Enterprise Network Functions Virtualization Infrastructure Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97719
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-008544 // 
            
            
            
            CNNVD: CNNVD-201908-1641

EXTERNAL IDS
db:NVDid:CVE-2019-12623
Trust: 2.5
db:JVNDBid:JVNDB-2019-008544
Trust: 0.8
db:CNNVDid:CNNVD-201908-1641
Trust: 0.7
db:AUSCERTid:ESB-2019.3211.2
Trust: 0.6
db:AUSCERTid:ESB-2019.3211
Trust: 0.6
db:VULHUBid:VHN-144388
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144388 // 
            
            
            
            JVNDB: JVNDB-2019-008544 // 
            
            
            
            CNNVD: CNNVD-201908-1641 // 
            
            
            
            NVD: CVE-2019-12623

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-nfv-enumeration
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-12623
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12623
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-nfv-filewrite
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3211.2/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3211/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144388 // 
            
            
            
            JVNDB: JVNDB-2019-008544 // 
            
            
            
            CNNVD: CNNVD-201908-1641 // 
            
            
            
            NVD: CVE-2019-12623

CREDITS
Tahir Khan and team from Verizon's product security group .
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201908-1641

SOURCES
db:VULHUBid:VHN-144388
db:JVNDBid:JVNDB-2019-008544
db:CNNVDid:CNNVD-201908-1641
db:NVDid:CVE-2019-12623

LAST UPDATE DATE
2024-08-14T15:02:14.111000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144388date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-008544date:2019-09-03T00:00:00
db:CNNVDid:CNNVD-201908-1641date:2019-09-12T00:00:00
db:NVDid:CVE-2019-12623date:2019-10-09T23:45:54.840

SOURCES RELEASE DATE
db:VULHUBid:VHN-144388date:2019-08-21T00:00:00
db:JVNDBid:JVNDB-2019-008544date:2019-09-03T00:00:00
db:CNNVDid:CNNVD-201908-1641date:2019-08-21T00:00:00
db:NVDid:CVE-2019-12623date:2019-08-21T18:15:13.493