ID

VAR-201909-0160


CVE

CVE-2019-12650


TITLE

Cisco IOS XE In software OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-010362

DESCRIPTION

Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS XE The software includes OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

Trust: 1.71

sources: NVD: CVE-2019-12650 // JVNDB: JVNDB-2019-010362 // VULHUB: VHN-144418

AFFECTED PRODUCTS

vendor:ciscomodel:iosscope:eqversion:16.11.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.6.5

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.1.1

Trust: 1.0

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-010362 // NVD: CVE-2019-12650

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12650
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12650
value: HIGH

Trust: 1.0

NVD: CVE-2019-12650
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-1139
value: HIGH

Trust: 0.6

VULHUB: VHN-144418
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12650
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144418
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12650
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12650
baseSeverity: HIGH
baseScore: 7.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 4.7
version: 3.0

Trust: 1.0

NVD: CVE-2019-12650
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-144418 // JVNDB: JVNDB-2019-010362 // CNNVD: CNNVD-201909-1139 // NVD: CVE-2019-12650 // NVD: CVE-2019-12650

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

problemtype:CWE-77

Trust: 1.0

sources: VULHUB: VHN-144418 // JVNDB: JVNDB-2019-010362 // NVD: CVE-2019-12650

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-1139

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201909-1139

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-010362

PATCH

title:cisco-sa-20190925-webui-cmd-injectionurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-webui-cmd-injection

Trust: 0.8

title:Cisco IOS XE Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98557

Trust: 0.6

sources: JVNDB: JVNDB-2019-010362 // CNNVD: CNNVD-201909-1139

EXTERNAL IDS

db:NVDid:CVE-2019-12650

Trust: 2.5

db:JVNDBid:JVNDB-2019-010362

Trust: 0.8

db:CNNVDid:CNNVD-201909-1139

Trust: 0.7

db:AUSCERTid:ESB-2019.3615.2

Trust: 0.6

db:AUSCERTid:ESB-2019.3615

Trust: 0.6

db:VULHUBid:VHN-144418

Trust: 0.1

sources: VULHUB: VHN-144418 // JVNDB: JVNDB-2019-010362 // CNNVD: CNNVD-201909-1139 // NVD: CVE-2019-12650

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-webui-cmd-injection

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-12650

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12650

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-awr

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3615.2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3615/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-ios-xe-privilege-escalation-via-web-ui-command-injection-30446

Trust: 0.6

sources: VULHUB: VHN-144418 // JVNDB: JVNDB-2019-010362 // CNNVD: CNNVD-201909-1139 // NVD: CVE-2019-12650

CREDITS

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Trust: 0.6

sources: CNNVD: CNNVD-201909-1139

SOURCES

db:VULHUBid:VHN-144418
db:JVNDBid:JVNDB-2019-010362
db:CNNVDid:CNNVD-201909-1139
db:NVDid:CVE-2019-12650

LAST UPDATE DATE

2024-11-23T21:36:54.585000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-144418date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-010362date:2019-10-11T00:00:00
db:CNNVDid:CNNVD-201909-1139date:2020-05-22T00:00:00
db:NVDid:CVE-2019-12650date:2024-11-21T04:23:15.763

SOURCES RELEASE DATE

db:VULHUBid:VHN-144418date:2019-09-25T00:00:00
db:JVNDBid:JVNDB-2019-010362date:2019-10-11T00:00:00
db:CNNVDid:CNNVD-201909-1139date:2019-09-25T00:00:00
db:NVDid:CVE-2019-12650date:2019-09-25T20:15:10.650