Sign-up

ID

VAR-201909-0207


CVE

CVE-2019-12635


TITLE

Cisco Content Security Management Appliance Software Authorization vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008978

DESCRIPTION

A vulnerability in the authorization module of Cisco Content Security Management Appliance (SMA) Software could allow an authenticated, remote attacker to gain out-of-scope access to email. The vulnerability exists because the affected software does not correctly implement role permission controls. An attacker could exploit this vulnerability by using a custom role with specific permissions. A successful exploit could allow the attacker to access the spam quarantine of other users. This appliance is mainly used to manage all policies, reports, audit information, etc. of email and web security appliances

Trust: 1.71

sources: NVD: CVE-2019-12635 // JVNDB: JVNDB-2019-008978 // VULHUB: VHN-144401

AFFECTED PRODUCTS

vendor:ciscomodel:content security management appliancescope:ltversion:12.5.0

Trust: 1.0

vendor:ciscomodel:content security management appliance softwarescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-008978 // NVD: CVE-2019-12635

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12635
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12635
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-12635
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201909-148
value: MEDIUM

Trust: 0.6

VULHUB: VHN-144401
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-12635
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2019-12635
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-144401
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-12635
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-12635
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-144401 // JVNDB: JVNDB-2019-008978 // CNNVD: CNNVD-201909-148 // NVD: CVE-2019-12635 // NVD: CVE-2019-12635

PROBLEMTYPE DATA

problemtype:CWE-285

Trust: 1.9

problemtype:CWE-732

Trust: 1.1

sources: VULHUB: VHN-144401 // JVNDB: JVNDB-2019-008978 // NVD: CVE-2019-12635

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-148

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201909-148

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008978

PATCH
title:cisco-sa-20190904-sma-info-disurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sma-info-dis
Trust: 0.8
title:Cisco Content Security Management Appliance Software Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97910
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-008978 // 
            
            
            
            CNNVD: CNNVD-201909-148

EXTERNAL IDS
db:NVDid:CVE-2019-12635
Trust: 2.5
db:JVNDBid:JVNDB-2019-008978
Trust: 0.8
db:CNNVDid:CNNVD-201909-148
Trust: 0.7
db:AUSCERTid:ESB-2019.3362
Trust: 0.6
db:AUSCERTid:ESB-2019.3362.3
Trust: 0.6
db:NSFOCUSid:44299
Trust: 0.6
db:VULHUBid:VHN-144401
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144401 // 
            
            
            
            JVNDB: JVNDB-2019-008978 // 
            
            
            
            CNNVD: CNNVD-201909-148 // 
            
            
            
            NVD: CVE-2019-12635

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190904-sma-info-dis
Trust: 2.3
url:https://nvd.nist.gov/vuln/detail/cve-2019-12635
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12635
Trust: 0.8
url:http://www.nsfocus.net/vulndb/44299
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3362/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3362.3/
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-content-security-management-appliance-information-disclosure-via-spam-quarantine-30247
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144401 // 
            
            
            
            JVNDB: JVNDB-2019-008978 // 
            
            
            
            CNNVD: CNNVD-201909-148 // 
            
            
            
            NVD: CVE-2019-12635

CREDITS
vendor
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201909-148

SOURCES
db:VULHUBid:VHN-144401
db:JVNDBid:JVNDB-2019-008978
db:CNNVDid:CNNVD-201909-148
db:NVDid:CVE-2019-12635

LAST UPDATE DATE
2024-11-23T22:29:57.177000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144401date:2020-10-08T00:00:00
db:JVNDBid:JVNDB-2019-008978date:2019-09-10T00:00:00
db:CNNVDid:CNNVD-201909-148date:2020-10-09T00:00:00
db:NVDid:CVE-2019-12635date:2024-11-21T04:23:14.110

SOURCES RELEASE DATE
db:VULHUBid:VHN-144401date:2019-09-05T00:00:00
db:JVNDBid:JVNDB-2019-008978date:2019-09-10T00:00:00
db:CNNVDid:CNNVD-201909-148date:2019-09-04T00:00:00
db:NVDid:CVE-2019-12635date:2019-09-05T02:15:12.683