Details of VAR-202001-0501

ID

VAR-202001-0501

CVE

CVE-2019-16003

TITLE

Cisco UCS Director Vulnerable to lack of authentication for important functions

Trust: 0.8

sources: JVNDB: JVNDB-2019-014237

DESCRIPTION

A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to download system log files from an affected device. The vulnerability is due to an issue in the authentication logic of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to download log files if they were previously generated by an administrator. Cisco UCS Director Contains a vulnerability regarding the lack of authentication for critical functions.Information may be obtained. Cisco UCS Director is a heterogeneous platform of private cloud infrastructure as a service (IaaS) of Cisco (Cisco)

Trust: 1.71

sources: NVD: CVE-2019-16003 // JVNDB: JVNDB-2019-014237 // VULHUB: VHN-148106

AFFECTED PRODUCTS

vendor:	cisco	model:	ucs director	scope:	lt	version:	6.7.3.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco ucs director	scope:	eq	version:	-	Trust: 0.8
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.0.0.2	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.1.0.1	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.1.0.2	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.1.0.0	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.0.1.1	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.0.0.3	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.0.0.1	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.0.0.0	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	4.0.1.2	Trust: 0.6
vendor:	cisco	model:	ucs director	scope:	eq	version:	2.10.0	Trust: 0.6

sources: JVNDB: JVNDB-2019-014237 // CNNVD: CNNVD-202001-238 // NVD: CVE-2019-16003

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-16003
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-16003
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-16003
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202001-238
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-148106
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-16003
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-148106
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-16003
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-16003
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.0
Trust: 1.0
NVD:	CVE-2019-16003
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-148106 // JVNDB: JVNDB-2019-014237 // CNNVD: CNNVD-202001-238 // NVD: CVE-2019-16003 // NVD: CVE-2019-16003

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.1
problemtype:	Lack of authentication for critical functions (CWE-306) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-148106 // JVNDB: JVNDB-2019-014237 // NVD: CVE-2019-16003

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-238

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202001-238

PATCH

title:	cisco-sa-20200108-ucs-dir-infodis	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ucs-dir-infodis	Trust: 0.8
title:	Cisco UCS Director Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110859	Trust: 0.6

sources: JVNDB: JVNDB-2019-014237 // CNNVD: CNNVD-202001-238

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16003	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-014237	Trust: 0.8
db:	CNNVD	id:	CNNVD-202001-238	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.0091	Trust: 0.6
db:	VULHUB	id:	VHN-148106	Trust: 0.1

sources: VULHUB: VHN-148106 // JVNDB: JVNDB-2019-014237 // CNNVD: CNNVD-202001-238 // NVD: CVE-2019-16003

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200108-ucs-dir-infodis	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16003	Trust: 1.4
url:	https://vigilance.fr/vulnerability/cisco-ucs-director-information-disclosure-via-system-log-files-31285	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.0091/	Trust: 0.6

sources: VULHUB: VHN-148106 // JVNDB: JVNDB-2019-014237 // CNNVD: CNNVD-202001-238 // NVD: CVE-2019-16003

SOURCES

db:	VULHUB	id:	VHN-148106
db:	JVNDB	id:	JVNDB-2019-014237
db:	CNNVD	id:	CNNVD-202001-238
db:	NVD	id:	CVE-2019-16003

LAST UPDATE DATE

2024-11-23T22:21:21.952000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148106	date:	2020-01-27T00:00:00
db:	JVNDB	id:	JVNDB-2019-014237	date:	2020-02-07T00:00:00
db:	CNNVD	id:	CNNVD-202001-238	date:	2020-03-03T00:00:00
db:	NVD	id:	CVE-2019-16003	date:	2024-11-21T04:29:54.723

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148106	date:	2020-01-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-014237	date:	2020-02-07T00:00:00
db:	CNNVD	id:	CNNVD-202001-238	date:	2020-01-08T00:00:00
db:	NVD	id:	CVE-2019-16003	date:	2020-01-26T05:15:13.867