Sign-up

ID

VAR-201909-0160


CVE

CVE-2019-12650


TITLE

Cisco IOS XE In software OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-010362

DESCRIPTION

Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS XE The software includes OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

Trust: 1.71

sources: NVD: CVE-2019-12650 // JVNDB: JVNDB-2019-010362 // VULHUB: VHN-144418

AFFECTED PRODUCTS

vendor:ciscomodel:iosscope:eqversion:16.11.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.1.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.6.5

Trust: 1.0

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-010362 // NVD: CVE-2019-12650

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12650
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12650
value: HIGH

Trust: 1.0

NVD: CVE-2019-12650
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-1139
value: HIGH

Trust: 0.6

VULHUB: VHN-144418
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12650
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144418
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12650
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12650
baseSeverity: HIGH
baseScore: 7.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 4.7
version: 3.0

Trust: 1.0

NVD: CVE-2019-12650
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-144418 // JVNDB: JVNDB-2019-010362 // CNNVD: CNNVD-201909-1139 // NVD: CVE-2019-12650 // NVD: CVE-2019-12650

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

problemtype:CWE-77

Trust: 1.0

sources: VULHUB: VHN-144418 // JVNDB: JVNDB-2019-010362 // NVD: CVE-2019-12650

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-1139

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201909-1139

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-010362

PATCH
title:cisco-sa-20190925-webui-cmd-injectionurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-webui-cmd-injection
Trust: 0.8
title:Cisco IOS XE Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98557
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-010362 // 
            
            
            
            CNNVD: CNNVD-201909-1139

EXTERNAL IDS
db:NVDid:CVE-2019-12650
Trust: 2.5
db:JVNDBid:JVNDB-2019-010362
Trust: 0.8
db:CNNVDid:CNNVD-201909-1139
Trust: 0.7
db:AUSCERTid:ESB-2019.3615.2
Trust: 0.6
db:AUSCERTid:ESB-2019.3615
Trust: 0.6
db:VULHUBid:VHN-144418
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144418 // 
            
            
            
            JVNDB: JVNDB-2019-010362 // 
            
            
            
            CNNVD: CNNVD-201909-1139 // 
            
            
            
            NVD: CVE-2019-12650

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-webui-cmd-injection
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-12650
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12650
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-awr
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3615.2/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3615/
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-ios-xe-privilege-escalation-via-web-ui-command-injection-30446
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144418 // 
            
            
            
            JVNDB: JVNDB-2019-010362 // 
            
            
            
            CNNVD: CNNVD-201909-1139 // 
            
            
            
            NVD: CVE-2019-12650

CREDITS
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201909-1139

SOURCES
db:VULHUBid:VHN-144418
db:JVNDBid:JVNDB-2019-010362
db:CNNVDid:CNNVD-201909-1139
db:NVDid:CVE-2019-12650

LAST UPDATE DATE
2024-08-14T13:25:56.838000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144418date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-010362date:2019-10-11T00:00:00
db:CNNVDid:CNNVD-201909-1139date:2020-05-22T00:00:00
db:NVDid:CVE-2019-12650date:2023-05-22T18:57:24.750

SOURCES RELEASE DATE
db:VULHUBid:VHN-144418date:2019-09-25T00:00:00
db:JVNDBid:JVNDB-2019-010362date:2019-10-11T00:00:00
db:CNNVDid:CNNVD-201909-1139date:2019-09-25T00:00:00
db:NVDid:CVE-2019-12650date:2019-09-25T20:15:10.650