Sign-up

ID

VAR-201909-0154


CVE

CVE-2019-12645


TITLE

Cisco Jabber Client Framework Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008973

DESCRIPTION

A vulnerability in Cisco Jabber Client Framework (JCF) for Mac Software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to execute arbitrary code on an affected device The vulnerability is due to improper file level permissions on an affected device when it is running Cisco JCF for Mac Software. An attacker could exploit this vulnerability by authenticating to the affected device and executing arbitrary code or potentially modifying certain configuration files. A successful exploit could allow the attacker to execute arbitrary code or modify certain configuration files on the device using the privileges of the installed Cisco JCF for Mac Software. Cisco Jabber Client Framework (JCF) Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Jabber Client Framework (JCF) is a set of unified communication client framework of Cisco (Cisco). The framework provides online status display, instant messaging, voice and other functions. An input validation error vulnerability exists in Cisco JCF 12.6(1) and earlier versions based on the Mac platform. The vulnerability is caused by the program assigning incorrect permissions to files

Trust: 1.71

sources: NVD: CVE-2019-12645 // JVNDB: JVNDB-2019-008973 // VULHUB: VHN-144412

AFFECTED PRODUCTS

vendor:ciscomodel:jabberscope:ltversion:12.6\(1\)

Trust: 1.0

vendor:ciscomodel:jabberscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-008973 // NVD: CVE-2019-12645

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12645
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12645
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-12645
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-157
value: HIGH

Trust: 0.6

VULHUB: VHN-144412
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12645
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144412
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12645
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12645
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: CVE-2019-12645
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-144412 // JVNDB: JVNDB-2019-008973 // CNNVD: CNNVD-201909-157 // NVD: CVE-2019-12645 // NVD: CVE-2019-12645

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

problemtype:CWE-732

Trust: 1.1

sources: VULHUB: VHN-144412 // JVNDB: JVNDB-2019-008973 // NVD: CVE-2019-12645

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201909-157

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201909-157

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008973

PATCH
title:cisco-sa-20190904-jcf-codexurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-jcf-codex
Trust: 0.8
title:Cisco Jabber Client Framework Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97919
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-008973 // 
            
            
            
            CNNVD: CNNVD-201909-157

EXTERNAL IDS
db:NVDid:CVE-2019-12645
Trust: 2.5
db:JVNDBid:JVNDB-2019-008973
Trust: 0.8
db:CNNVDid:CNNVD-201909-157
Trust: 0.7
db:AUSCERTid:ESB-2019.3366
Trust: 0.6
db:VULHUBid:VHN-144412
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144412 // 
            
            
            
            JVNDB: JVNDB-2019-008973 // 
            
            
            
            CNNVD: CNNVD-201909-157 // 
            
            
            
            NVD: CVE-2019-12645

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190904-jcf-codex
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-12645
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12645
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2019.3366/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144412 // 
            
            
            
            JVNDB: JVNDB-2019-008973 // 
            
            
            
            CNNVD: CNNVD-201909-157 // 
            
            
            
            NVD: CVE-2019-12645

CREDITS
Drew Yao of the Apple SEAR Red Team .
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201909-157

SOURCES
db:VULHUBid:VHN-144412
db:JVNDBid:JVNDB-2019-008973
db:CNNVDid:CNNVD-201909-157
db:NVDid:CVE-2019-12645

LAST UPDATE DATE
2024-11-23T21:59:42.424000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144412date:2020-10-08T00:00:00
db:JVNDBid:JVNDB-2019-008973date:2019-09-10T00:00:00
db:CNNVDid:CNNVD-201909-157date:2020-10-09T00:00:00
db:NVDid:CVE-2019-12645date:2024-11-21T04:23:15.040

SOURCES RELEASE DATE
db:VULHUBid:VHN-144412date:2019-09-05T00:00:00
db:JVNDBid:JVNDB-2019-008973date:2019-09-10T00:00:00
db:CNNVDid:CNNVD-201909-157date:2019-09-04T00:00:00
db:NVDid:CVE-2019-12645date:2019-09-05T02:15:12.807