Details of VAR-201908-0836

ID

VAR-201908-0836

CVE

CVE-2019-1958

TITLE

Cisco HyperFlex Software cross-site request forgery vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-007627 // CNNVD: CNNVD-201908-565

DESCRIPTION

A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. Cisco HyperFlex Software is a set of scalable distributed file systems from Cisco. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user

Trust: 1.71

sources: NVD: CVE-2019-1958 // JVNDB: JVNDB-2019-007627 // VULHUB: VHN-152040

AFFECTED PRODUCTS

vendor:	cisco	model:	hyperflex hx data platform	scope:	lt	version:	4.0\(2a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-007627 // NVD: CVE-2019-1958

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1958
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1958
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1958
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201908-565
value:	HIGH
Trust: 0.6
VULHUB:	VHN-152040
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-1958
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-152040
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1958
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1958
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.0
Trust: 1.0
NVD:	CVE-2019-1958
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-152040 // JVNDB: JVNDB-2019-007627 // CNNVD: CNNVD-201908-565 // NVD: CVE-2019-1958 // NVD: CVE-2019-1958

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-152040 // JVNDB: JVNDB-2019-007627 // NVD: CVE-2019-1958

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-565

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201908-565

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-007627

PATCH

title:	cisco-sa-20190807-hypflex-csrf	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-hypflex-csrf	Trust: 0.8
title:	Cisco HyperFlex Software Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96262	Trust: 0.6

sources: JVNDB: JVNDB-2019-007627 // CNNVD: CNNVD-201908-565

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1958	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-007627	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-565	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3001	Trust: 0.6
db:	VULHUB	id:	VHN-152040	Trust: 0.1

sources: VULHUB: VHN-152040 // JVNDB: JVNDB-2019-007627 // CNNVD: CNNVD-201908-565 // NVD: CVE-2019-1958

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-hypflex-csrf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1958	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1958	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.3001/	Trust: 0.6

sources: VULHUB: VHN-152040 // JVNDB: JVNDB-2019-007627 // CNNVD: CNNVD-201908-565 // NVD: CVE-2019-1958

SOURCES

db:	VULHUB	id:	VHN-152040
db:	JVNDB	id:	JVNDB-2019-007627
db:	CNNVD	id:	CNNVD-201908-565
db:	NVD	id:	CVE-2019-1958

LAST UPDATE DATE

2024-11-23T22:25:48.648000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-152040	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-007627	date:	2019-08-16T00:00:00
db:	CNNVD	id:	CNNVD-201908-565	date:	2019-08-19T00:00:00
db:	NVD	id:	CVE-2019-1958	date:	2024-11-21T04:37:46.110

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-152040	date:	2019-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-007627	date:	2019-08-16T00:00:00
db:	CNNVD	id:	CNNVD-201908-565	date:	2019-08-07T00:00:00
db:	NVD	id:	CVE-2019-1958	date:	2019-08-08T08:15:12.727