Sign-up

ID

VAR-201909-0161


CVE

CVE-2019-12651


TITLE

Cisco IOS XE In software OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-010217

DESCRIPTION

Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS XE The software includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

Trust: 1.71

sources: NVD: CVE-2019-12651 // JVNDB: JVNDB-2019-010217 // VULHUB: VHN-144419

AFFECTED PRODUCTS

vendor:ciscomodel:iosscope:eqversion:16.11.1

Trust: 1.0

vendor:ciscomodel:integrated services virtual routerscope:eqversion:16.6.5

Trust: 1.0

vendor:ciscomodel:cloud services router 1000vscope:eqversion:17.1.1

Trust: 1.0

vendor:ciscomodel:cloud services router 1000vscope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xescope: - version: -

Trust: 0.8

vendor:ciscomodel:integrated services virtual routerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-010217 // NVD: CVE-2019-12651

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12651
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12651
value: HIGH

Trust: 1.0

NVD: CVE-2019-12651
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-1146
value: HIGH

Trust: 0.6

VULHUB: VHN-144419
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12651
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144419
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12651
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12651
baseSeverity: HIGH
baseScore: 7.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 4.7
version: 3.0

Trust: 1.0

NVD: CVE-2019-12651
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-144419 // JVNDB: JVNDB-2019-010217 // CNNVD: CNNVD-201909-1146 // NVD: CVE-2019-12651 // NVD: CVE-2019-12651

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

problemtype:CWE-77

Trust: 1.0

sources: VULHUB: VHN-144419 // JVNDB: JVNDB-2019-010217 // NVD: CVE-2019-12651

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-1146

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201909-1146

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-010217

PATCH
title:cisco-sa-20190925-webui-cmd-injectionurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-webui-cmd-injection
Trust: 0.8
title:Cisco IOS XE Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98564
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-010217 // 
            
            
            
            CNNVD: CNNVD-201909-1146

EXTERNAL IDS
db:NVDid:CVE-2019-12651
Trust: 2.5
db:JVNDBid:JVNDB-2019-010217
Trust: 0.8
db:CNNVDid:CNNVD-201909-1146
Trust: 0.7
db:AUSCERTid:ESB-2019.3615.2
Trust: 0.6
db:AUSCERTid:ESB-2019.3615
Trust: 0.6
db:VULHUBid:VHN-144419
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144419 // 
            
            
            
            JVNDB: JVNDB-2019-010217 // 
            
            
            
            CNNVD: CNNVD-201909-1146 // 
            
            
            
            NVD: CVE-2019-12651

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-webui-cmd-injection
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-12651
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12651
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-awr
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3615.2/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3615/
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-ios-xe-privilege-escalation-via-web-ui-command-injection-30446
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144419 // 
            
            
            
            JVNDB: JVNDB-2019-010217 // 
            
            
            
            CNNVD: CNNVD-201909-1146 // 
            
            
            
            NVD: CVE-2019-12651

CREDITS
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201909-1146

SOURCES
db:VULHUBid:VHN-144419
db:JVNDBid:JVNDB-2019-010217
db:CNNVDid:CNNVD-201909-1146
db:NVDid:CVE-2019-12651

LAST UPDATE DATE
2024-08-14T13:25:56.753000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144419date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-010217date:2019-10-08T00:00:00
db:CNNVDid:CNNVD-201909-1146date:2020-05-22T00:00:00
db:NVDid:CVE-2019-12651date:2019-10-09T23:45:57.997

SOURCES RELEASE DATE
db:VULHUBid:VHN-144419date:2019-09-25T00:00:00
db:JVNDBid:JVNDB-2019-010217date:2019-10-08T00:00:00
db:CNNVDid:CNNVD-201909-1146date:2019-09-25T00:00:00
db:NVDid:CVE-2019-12651date:2019-09-25T20:15:10.713