Details of VAR-201910-1727

ID

VAR-201910-1727

CVE

CVE-2019-15260

TITLE

Cisco Aironet Access Points Software Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-36456 // CNNVD: CNNVD-201910-1136

DESCRIPTION

A vulnerability in Cisco Aironet Access Points (APs) Software could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device with elevated privileges. The vulnerability is due to insufficient access control for certain URLs on an affected device. An attacker could exploit this vulnerability by requesting specific URLs from an affected AP. An exploit could allow the attacker to gain access to the device with elevated privileges. While the attacker would not be granted access to all possible configuration options, it could allow the attacker to view sensitive information and replace some options with values of their choosing, including wireless network configuration. It would also allow the attacker to disable the AP, creating a denial of service (DoS) condition for clients associated with the AP. Cisco Aironet 1540 Series APs and other products are products of the United States Cisco. Cisco Aironet 1540 Series APs are a 1540 series access point product. Cisco Aironet 1560 Series APs are a 1560 series access point product. Cisco Aironet 1800 Series APs are a 1800 series access point product. Aironet Access Points (APs) Software is a set of operating systems running on it

Trust: 2.16

sources: NVD: CVE-2019-15260 // JVNDB: JVNDB-2019-011109 // CNVD: CNVD-2019-36456

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-36456

AFFECTED PRODUCTS

vendor:	cisco	model:	aironet 1800	scope:	gte	version:	8.5	Trust: 1.0
vendor:	cisco	model:	aironet 2800	scope:	lt	version:	8.5.151.0	Trust: 1.0
vendor:	cisco	model:	aironet 3800	scope:	gte	version:	8.8	Trust: 1.0
vendor:	cisco	model:	aironet 1800	scope:	lt	version:	8.5.151.0	Trust: 1.0
vendor:	cisco	model:	aironet 1560	scope:	lt	version:	8.5.151.0	Trust: 1.0
vendor:	cisco	model:	aironet 3800	scope:	lt	version:	8.8.120.0	Trust: 1.0
vendor:	cisco	model:	aironet 1540	scope:	gte	version:	8.5	Trust: 1.0
vendor:	cisco	model:	aironet 2800	scope:	gte	version:	8.8	Trust: 1.0
vendor:	cisco	model:	aironet 1800	scope:	gte	version:	8.8	Trust: 1.0
vendor:	cisco	model:	aironet 2800	scope:	lt	version:	8.8.120.0	Trust: 1.0
vendor:	cisco	model:	aironet 1560	scope:	gte	version:	8.5	Trust: 1.0
vendor:	cisco	model:	aironet 4800	scope:	gte	version:	8.5	Trust: 1.0
vendor:	cisco	model:	aironet 1800	scope:	lt	version:	8.8.120.0	Trust: 1.0
vendor:	cisco	model:	aironet 1560	scope:	lt	version:	8.8.120.0	Trust: 1.0
vendor:	cisco	model:	aironet 4800	scope:	lt	version:	8.5.151.0	Trust: 1.0
vendor:	cisco	model:	aironet 1540	scope:	gte	version:	8.8	Trust: 1.0
vendor:	cisco	model:	aironet 1540	scope:	lt	version:	8.5.151.0	Trust: 1.0
vendor:	cisco	model:	aironet 1560	scope:	gte	version:	8.8	Trust: 1.0
vendor:	cisco	model:	aironet 4800	scope:	gte	version:	8.8	Trust: 1.0
vendor:	cisco	model:	aironet 4800	scope:	lt	version:	8.8.120.0	Trust: 1.0
vendor:	cisco	model:	aironet 3800	scope:	gte	version:	8.5	Trust: 1.0
vendor:	cisco	model:	aironet 3800	scope:	lt	version:	8.5.151.0	Trust: 1.0
vendor:	cisco	model:	aironet 1540	scope:	lt	version:	8.8.120.0	Trust: 1.0
vendor:	cisco	model:	aironet 2800	scope:	gte	version:	8.5	Trust: 1.0
vendor:	cisco	model:	aironet 1540 series	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	aironet 1560 series	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	aironet 1800 series	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	aironet 2800 series	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	aironet 3800 series	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	aironet 4800 series	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	aironet series aps	scope:	eq	version:	1540	Trust: 0.6
vendor:	cisco	model:	aironet series aps	scope:	eq	version:	1560	Trust: 0.6
vendor:	cisco	model:	aironet series aps	scope:	eq	version:	1800	Trust: 0.6
vendor:	cisco	model:	aironet series aps	scope:	eq	version:	2800	Trust: 0.6
vendor:	cisco	model:	aironet series aps	scope:	eq	version:	3800	Trust: 0.6
vendor:	cisco	model:	aironet aps	scope:	eq	version:	4800	Trust: 0.6

sources: CNVD: CNVD-2019-36456 // JVNDB: JVNDB-2019-011109 // NVD: CVE-2019-15260

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15260
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-15260
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-15260
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-36456
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201910-1136
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2019-15260
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-36456
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ykramarz@cisco.com:	CVE-2019-15260
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-15260
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2019-36456 // JVNDB: JVNDB-2019-011109 // CNNVD: CNNVD-201910-1136 // NVD: CVE-2019-15260 // NVD: CVE-2019-15260

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-284	Trust: 1.0
problemtype:	CWE-269	Trust: 0.8

sources: JVNDB: JVNDB-2019-011109 // NVD: CVE-2019-15260

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1136

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201910-1136

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011109

PATCH

title:	cisco-sa-20191016-airo-unauth-access	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-airo-unauth-access	Trust: 0.8
title:	Patch for Cisco Aironet Access Points Software Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/186145	Trust: 0.6

sources: CNVD: CNVD-2019-36456 // JVNDB: JVNDB-2019-011109

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15260	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-011109	Trust: 0.8
db:	CNVD	id:	CNVD-2019-36456	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.3874	Trust: 0.6
db:	CNNVD	id:	CNNVD-201910-1136	Trust: 0.6

sources: CNVD: CNVD-2019-36456 // JVNDB: JVNDB-2019-011109 // CNNVD: CNNVD-201910-1136 // NVD: CVE-2019-15260

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191016-airo-unauth-access	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15260	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15260	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191016-airo-pptp-dos	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191016-airo-dos	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-aironet-code-execution-via-url-access-control-30649	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3874/	Trust: 0.6

sources: CNVD: CNVD-2019-36456 // JVNDB: JVNDB-2019-011109 // CNNVD: CNNVD-201910-1136 // NVD: CVE-2019-15260

SOURCES

db:	CNVD	id:	CNVD-2019-36456
db:	JVNDB	id:	JVNDB-2019-011109
db:	CNNVD	id:	CNNVD-201910-1136
db:	NVD	id:	CVE-2019-15260

LAST UPDATE DATE

2024-08-14T14:26:08.955000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-36456	date:	2019-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2019-011109	date:	2019-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201910-1136	date:	2021-11-03T00:00:00
db:	NVD	id:	CVE-2019-15260	date:	2021-11-02T19:10:56.467

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-36456	date:	2019-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2019-011109	date:	2019-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201910-1136	date:	2019-10-16T00:00:00
db:	NVD	id:	CVE-2019-15260	date:	2019-10-16T19:15:13.723