Details of VAR-201908-0548

ID

VAR-201908-0548

CVE

CVE-2019-1938

TITLE

Cisco UCS Director and Cisco UCS Director Express for Big Data Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008601

DESCRIPTION

A vulnerability in the web-based management interface of Cisco UCS Director and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The vulnerability is due to improper authentication request handling. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an unprivileged attacker to access and execute arbitrary actions through certain APIs. Cisco UCS Director is a heterogeneous platform for Private Cloud Infrastructure as a Service (IaaS)

Trust: 1.71

sources: NVD: CVE-2019-1938 // JVNDB: JVNDB-2019-008601 // VULHUB: VHN-151820

AFFECTED PRODUCTS

vendor:	cisco	model:	ucs director	scope:	eq	version:	6.7.0.0	Trust: 1.0
vendor:	cisco	model:	ucs director	scope:	eq	version:	6.7.1.0	Trust: 1.0
vendor:	cisco	model:	ucs director express for big data	scope:	eq	version:	3.7.1.0	Trust: 1.0
vendor:	cisco	model:	ucs director express for big data	scope:	eq	version:	3.7.0.0	Trust: 1.0
vendor:	cisco	model:	ucs director	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ucs director express for big data	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-008601 // NVD: CVE-2019-1938

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1938
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1938
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-1938
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201908-1725
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-151820
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1938
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-151820
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1938
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 2.8

sources: VULHUB: VHN-151820 // JVNDB: JVNDB-2019-008601 // CNNVD: CNNVD-201908-1725 // NVD: CVE-2019-1938 // NVD: CVE-2019-1938

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-151820 // JVNDB: JVNDB-2019-008601 // NVD: CVE-2019-1938

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1725

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201908-1725

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008601

PATCH

title:	cisco-sa-20190821-ucsd-authbypass	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucsd-authbypass	Trust: 0.8
title:	Cisco UCS Director and Cisco UCS Director Express for Big Data Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97722	Trust: 0.6

sources: JVNDB: JVNDB-2019-008601 // CNNVD: CNNVD-201908-1725

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1938	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-008601	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-1725	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3205	Trust: 0.6
db:	VULHUB	id:	VHN-151820	Trust: 0.1

sources: VULHUB: VHN-151820 // JVNDB: JVNDB-2019-008601 // CNNVD: CNNVD-201908-1725 // NVD: CVE-2019-1938

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucsd-authbypass	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1938	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1938	Trust: 0.8
url:	https://vigilance.fr/vulnerability/cisco-ucs-director-privilege-escalation-30130	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3205/	Trust: 0.6

sources: VULHUB: VHN-151820 // JVNDB: JVNDB-2019-008601 // CNNVD: CNNVD-201908-1725 // NVD: CVE-2019-1938

SOURCES

db:	VULHUB	id:	VHN-151820
db:	JVNDB	id:	JVNDB-2019-008601
db:	CNNVD	id:	CNNVD-201908-1725
db:	NVD	id:	CVE-2019-1938

LAST UPDATE DATE

2024-11-23T22:44:55.785000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-151820	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-008601	date:	2019-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201908-1725	date:	2019-09-05T00:00:00
db:	NVD	id:	CVE-2019-1938	date:	2024-11-21T04:37:43.613

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-151820	date:	2019-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-008601	date:	2019-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201908-1725	date:	2019-08-21T00:00:00
db:	NVD	id:	CVE-2019-1938	date:	2019-08-21T19:15:15.467