ID

VAR-201909-0161


CVE

CVE-2019-12651


TITLE

Cisco IOS XE In software OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-010217

DESCRIPTION

Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS XE The software includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

Trust: 1.71

sources: NVD: CVE-2019-12651 // JVNDB: JVNDB-2019-010217 // VULHUB: VHN-144419

AFFECTED PRODUCTS

vendor:ciscomodel:integrated services virtual routerscope:eqversion:16.6.5

Trust: 1.0

vendor:ciscomodel:iosscope:eqversion:16.11.1

Trust: 1.0

vendor:ciscomodel:cloud services router 1000vscope:eqversion:17.1.1

Trust: 1.0

vendor:ciscomodel:cloud services router 1000vscope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xescope: - version: -

Trust: 0.8

vendor:ciscomodel:integrated services virtual routerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-010217 // NVD: CVE-2019-12651

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12651
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12651
value: HIGH

Trust: 1.0

NVD: CVE-2019-12651
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-1146
value: HIGH

Trust: 0.6

VULHUB: VHN-144419
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12651
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144419
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12651
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12651
baseSeverity: HIGH
baseScore: 7.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 4.7
version: 3.0

Trust: 1.0

NVD: CVE-2019-12651
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-144419 // JVNDB: JVNDB-2019-010217 // CNNVD: CNNVD-201909-1146 // NVD: CVE-2019-12651 // NVD: CVE-2019-12651

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

problemtype:CWE-77

Trust: 1.0

sources: VULHUB: VHN-144419 // JVNDB: JVNDB-2019-010217 // NVD: CVE-2019-12651

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-1146

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201909-1146

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-010217

PATCH

title:cisco-sa-20190925-webui-cmd-injectionurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-webui-cmd-injection

Trust: 0.8

title:Cisco IOS XE Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98564

Trust: 0.6

sources: JVNDB: JVNDB-2019-010217 // CNNVD: CNNVD-201909-1146

EXTERNAL IDS

db:NVDid:CVE-2019-12651

Trust: 2.5

db:JVNDBid:JVNDB-2019-010217

Trust: 0.8

db:CNNVDid:CNNVD-201909-1146

Trust: 0.7

db:AUSCERTid:ESB-2019.3615.2

Trust: 0.6

db:AUSCERTid:ESB-2019.3615

Trust: 0.6

db:VULHUBid:VHN-144419

Trust: 0.1

sources: VULHUB: VHN-144419 // JVNDB: JVNDB-2019-010217 // CNNVD: CNNVD-201909-1146 // NVD: CVE-2019-12651

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-webui-cmd-injection

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-12651

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12651

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-awr

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3615.2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3615/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-ios-xe-privilege-escalation-via-web-ui-command-injection-30446

Trust: 0.6

sources: VULHUB: VHN-144419 // JVNDB: JVNDB-2019-010217 // CNNVD: CNNVD-201909-1146 // NVD: CVE-2019-12651

CREDITS

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Trust: 0.6

sources: CNNVD: CNNVD-201909-1146

SOURCES

db:VULHUBid:VHN-144419
db:JVNDBid:JVNDB-2019-010217
db:CNNVDid:CNNVD-201909-1146
db:NVDid:CVE-2019-12651

LAST UPDATE DATE

2024-11-23T21:36:54.535000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-144419date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-010217date:2019-10-08T00:00:00
db:CNNVDid:CNNVD-201909-1146date:2020-05-22T00:00:00
db:NVDid:CVE-2019-12651date:2024-11-21T04:23:15.917

SOURCES RELEASE DATE

db:VULHUBid:VHN-144419date:2019-09-25T00:00:00
db:JVNDBid:JVNDB-2019-010217date:2019-10-08T00:00:00
db:CNNVDid:CNNVD-201909-1146date:2019-09-25T00:00:00
db:NVDid:CVE-2019-12651date:2019-09-25T20:15:10.713