Details of VAR-201909-0197

ID

VAR-201909-0197

CVE

CVE-2019-12620

TITLE

Cisco HyperFlex Vulnerability related to insufficient verification of data reliability in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-009495

DESCRIPTION

A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device. The vulnerability is due to insufficient authentication for the statistics collection service. An attacker could exploit this vulnerability by sending properly formatted data values to the statistics collection service of an affected device. A successful exploit could allow the attacker to cause the web interface statistics view to present invalid data to users. Cisco HyperFlex The software is vulnerable to insufficient validation of data reliability.Information may be tampered with. Cisco HyperFlex Software is a set of scalable distributed file systems from Cisco. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services

Trust: 1.71

sources: NVD: CVE-2019-12620 // JVNDB: JVNDB-2019-009495 // VULHUB: VHN-144385

AFFECTED PRODUCTS

vendor:	cisco	model:	hyperflex hx220c m5	scope:	eq	version:	3.5\(2a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx240c m5	scope:	eq	version:	3.5\(2a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx240c af m5	scope:	eq	version:	4.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c af m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c edge m5	scope:	eq	version:	4.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c m5	scope:	eq	version:	4.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx240c m5	scope:	eq	version:	4.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx240c af m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c edge m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c af m5	scope:	eq	version:	3.5\(2a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx240c m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx240c af m5	scope:	eq	version:	3.5\(2a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c af m5	scope:	eq	version:	4.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c edge m5	scope:	eq	version:	3.5\(2a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c edge m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx220c m5 all flash	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx220c m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx240c m5 all flash	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx240c m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx220c m5	scope:	eq	version:	3.52a	Trust: 0.6
vendor:	cisco	model:	hyperflex hx240c m5	scope:	eq	version:	3.52a	Trust: 0.6
vendor:	cisco	model:	hyperflex hx220c m5	scope:	eq	version:	-	Trust: 0.6
vendor:	cisco	model:	hyperflex hx240c m5	scope:	eq	version:	4.01a	Trust: 0.6
vendor:	cisco	model:	hyperflex hx220c m5	scope:	eq	version:	4.01a	Trust: 0.6
vendor:	cisco	model:	hyperflex hx220c af m5	scope:	eq	version:	3.52a	Trust: 0.6
vendor:	cisco	model:	hyperflex hx240c m5	scope:	eq	version:	3.01a	Trust: 0.6
vendor:	cisco	model:	hyperflex hx220c m5	scope:	eq	version:	3.01a	Trust: 0.6
vendor:	cisco	model:	hyperflex hx240c m5	scope:	eq	version:	-	Trust: 0.6
vendor:	cisco	model:	hyperflex hx220c af m5	scope:	eq	version:	3.01a	Trust: 0.6

sources: JVNDB: JVNDB-2019-009495 // CNNVD: CNNVD-201909-871 // NVD: CVE-2019-12620

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-12620
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-12620
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-12620
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201909-871
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-144385
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-12620
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-144385
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-12620
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-12620
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-144385 // JVNDB: JVNDB-2019-009495 // CNNVD: CNNVD-201909-871 // NVD: CVE-2019-12620 // NVD: CVE-2019-12620

PROBLEMTYPE DATA

problemtype:

CWE-345

Trust: 1.9

sources: VULHUB: VHN-144385 // JVNDB: JVNDB-2019-009495 // NVD: CVE-2019-12620

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-871

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-201909-871

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009495

PATCH

title:	cisco-sa-20190918-hyperflex-valinj	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-valinj	Trust: 0.8
title:	Cisco HyperFlex Software Repair measures for data forgery problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98397	Trust: 0.6

sources: JVNDB: JVNDB-2019-009495 // CNNVD: CNNVD-201909-871

EXTERNAL IDS

db:	NVD	id:	CVE-2019-12620	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-009495	Trust: 0.8
db:	CNNVD	id:	CNNVD-201909-871	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3542	Trust: 0.6
db:	VULHUB	id:	VHN-144385	Trust: 0.1

sources: VULHUB: VHN-144385 // JVNDB: JVNDB-2019-009495 // CNNVD: CNNVD-201909-871 // NVD: CVE-2019-12620

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190918-hyperflex-valinj	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12620	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12620	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.3542/	Trust: 0.6

sources: VULHUB: VHN-144385 // JVNDB: JVNDB-2019-009495 // CNNVD: CNNVD-201909-871 // NVD: CVE-2019-12620

SOURCES

db:	VULHUB	id:	VHN-144385
db:	JVNDB	id:	JVNDB-2019-009495
db:	CNNVD	id:	CNNVD-201909-871
db:	NVD	id:	CVE-2019-12620

LAST UPDATE DATE

2024-11-23T22:37:41.759000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-144385	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-009495	date:	2019-09-24T00:00:00
db:	CNNVD	id:	CNNVD-201909-871	date:	2019-09-30T00:00:00
db:	NVD	id:	CVE-2019-12620	date:	2024-11-21T04:23:12.247

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-144385	date:	2019-09-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-009495	date:	2019-09-24T00:00:00
db:	CNNVD	id:	CNNVD-201909-871	date:	2019-09-18T00:00:00
db:	NVD	id:	CVE-2019-12620	date:	2019-09-18T17:15:15.880