Details of VAR-201908-0831

ID

VAR-201908-0831

CVE

CVE-2019-1863

TITLE

Cisco Integrated Management Controller Software Authorization vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008450

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to make unauthorized changes to the system configuration. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow a user with read-only privileges to change critical system configurations using administrator privileges. The software supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server. The following products and versions are affected: Cisco UCS C-Series and S-Series Servers (in single mode); UCS E-Series Servers; 5000 Series Enterprise Network Compute System (ENCS) Platforms

Trust: 1.71

sources: NVD: CVE-2019-1863 // JVNDB: JVNDB-2019-008450 // VULHUB: VHN-150995

AFFECTED PRODUCTS

vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	3.0.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	4.0\(2c\)	Trust: 1.0
vendor:	cisco	model:	unified computing system	scope:	eq	version:	4.0\(1c\)hs3	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	1.5.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	1.5\(9g\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	4.0\(4b\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	2.0\(13o\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	4.0.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	3.0\(4k\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	2.0.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	4.0\(1d\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	unified computing system software	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-008450 // NVD: CVE-2019-1863

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1863
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1863
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1863
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201908-1707
value:	HIGH
Trust: 0.6
VULHUB:	VHN-150995
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1863
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-150995
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1863
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1863
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.0
NVD:	CVE-2019-1863
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-150995 // JVNDB: JVNDB-2019-008450 // CNNVD: CNNVD-201908-1707 // NVD: CVE-2019-1863 // NVD: CVE-2019-1863

PROBLEMTYPE DATA

problemtype:	CWE-285	Trust: 1.9
problemtype:	NVD-CWE-Other	Trust: 1.0

sources: VULHUB: VHN-150995 // JVNDB: JVNDB-2019-008450 // NVD: CVE-2019-1863

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1707

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201908-1707

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008450

PATCH

title:	cisco-sa-20190821-imc-privilege	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privilege	Trust: 0.8
title:	Cisco Integrated Management Controller Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97301	Trust: 0.6

sources: JVNDB: JVNDB-2019-008450 // CNNVD: CNNVD-201908-1707

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1863	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-008450	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-1707	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3212	Trust: 0.6
db:	VULHUB	id:	VHN-150995	Trust: 0.1

sources: VULHUB: VHN-150995 // JVNDB: JVNDB-2019-008450 // CNNVD: CNNVD-201908-1707 // NVD: CVE-2019-1863

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-privilege	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1863	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1863	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-bo	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-cimc-cli-inject	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinject-1896	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucs-cimc	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinject-1634	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1865	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1864	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1850	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-infodisc	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-privescal	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-ucs-authby	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-ucs-cmdinj	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucs-imc-dos	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-usercred	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-dos	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3212/	Trust: 0.6

sources: VULHUB: VHN-150995 // JVNDB: JVNDB-2019-008450 // CNNVD: CNNVD-201908-1707 // NVD: CVE-2019-1863

SOURCES

db:	VULHUB	id:	VHN-150995
db:	JVNDB	id:	JVNDB-2019-008450
db:	CNNVD	id:	CNNVD-201908-1707
db:	NVD	id:	CVE-2019-1863

LAST UPDATE DATE

2024-08-14T13:26:01.309000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-150995	date:	2020-10-16T00:00:00
db:	JVNDB	id:	JVNDB-2019-008450	date:	2019-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201908-1707	date:	2020-10-21T00:00:00
db:	NVD	id:	CVE-2019-1863	date:	2020-10-16T14:51:00.790

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-150995	date:	2019-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-008450	date:	2019-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201908-1707	date:	2019-08-21T00:00:00
db:	NVD	id:	CVE-2019-1863	date:	2019-08-21T19:15:14.277