ID

VAR-202001-0698


CVE

CVE-2019-15255


TITLE

Cisco Identity Services Engine  Vulnerabilities related to lack of authentication

Trust: 0.8

sources: JVNDB: JVNDB-2019-014238

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information. Cisco Identity Services Engine (ISE) Vulnerable to a lack of authentication.Information may be obtained. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.8

sources: NVD: CVE-2019-15255 // JVNDB: JVNDB-2019-014238 // VULHUB: VHN-147283 // VULMON: CVE-2019-15255

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:2.2\(0.470\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.2

Trust: 1.0

vendor:シスコシステムズmodel:cisco identity services enginescope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-014238 // NVD: CVE-2019-15255

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15255
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-15255
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-15255
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202001-236
value: MEDIUM

Trust: 0.6

VULHUB: VHN-147283
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-15255
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-15255
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-147283
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-15255
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-15255
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-147283 // VULMON: CVE-2019-15255 // JVNDB: JVNDB-2019-014238 // CNNVD: CNNVD-202001-236 // NVD: CVE-2019-15255 // NVD: CVE-2019-15255

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.0

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:Lack of authentication (CWE-862) [NVD Evaluation ]

Trust: 0.8

problemtype:CWE-862

Trust: 0.1

sources: VULHUB: VHN-147283 // JVNDB: JVNDB-2019-014238 // NVD: CVE-2019-15255

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-236

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202001-236

PATCH

title:cisco-sa-20200108-ise-auth-bypassurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ise-auth-bypass

Trust: 0.8

title:Cisco Identity Services Engine Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111161

Trust: 0.6

title:Cisco: Cisco Identity Services Engine Authorization Bypass Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20200108-ise-auth-bypass

Trust: 0.1

title:The Registerurl:https://www.theregister.co.uk/2020/01/10/cisco_january_patches/

Trust: 0.1

sources: VULMON: CVE-2019-15255 // JVNDB: JVNDB-2019-014238 // CNNVD: CNNVD-202001-236

EXTERNAL IDS

db:NVDid:CVE-2019-15255

Trust: 2.6

db:JVNDBid:JVNDB-2019-014238

Trust: 0.8

db:CNNVDid:CNNVD-202001-236

Trust: 0.7

db:AUSCERTid:ESB-2020.0090

Trust: 0.6

db:CNVDid:CNVD-2020-03719

Trust: 0.1

db:VULHUBid:VHN-147283

Trust: 0.1

db:VULMONid:CVE-2019-15255

Trust: 0.1

sources: VULHUB: VHN-147283 // VULMON: CVE-2019-15255 // JVNDB: JVNDB-2019-014238 // CNNVD: CNNVD-202001-236 // NVD: CVE-2019-15255

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200108-ise-auth-bypass

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2019-15255

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2020.0090/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111460

Trust: 0.1

sources: VULHUB: VHN-147283 // VULMON: CVE-2019-15255 // JVNDB: JVNDB-2019-014238 // CNNVD: CNNVD-202001-236 // NVD: CVE-2019-15255

CREDITS

Simo Ben Youssef of Blue Cross Blue Shield Association .

Trust: 0.6

sources: CNNVD: CNNVD-202001-236

SOURCES

db:VULHUBid:VHN-147283
db:VULMONid:CVE-2019-15255
db:JVNDBid:JVNDB-2019-014238
db:CNNVDid:CNNVD-202001-236
db:NVDid:CVE-2019-15255

LAST UPDATE DATE

2024-11-23T22:37:34.201000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-147283date:2020-10-09T00:00:00
db:VULMONid:CVE-2019-15255date:2020-10-09T00:00:00
db:JVNDBid:JVNDB-2019-014238date:2020-02-07T00:00:00
db:CNNVDid:CNNVD-202001-236date:2020-10-10T00:00:00
db:NVDid:CVE-2019-15255date:2024-11-21T04:28:18.257

SOURCES RELEASE DATE

db:VULHUBid:VHN-147283date:2020-01-26T00:00:00
db:VULMONid:CVE-2019-15255date:2020-01-26T00:00:00
db:JVNDBid:JVNDB-2019-014238date:2020-02-07T00:00:00
db:CNNVDid:CNNVD-202001-236date:2020-01-08T00:00:00
db:NVDid:CVE-2019-15255date:2020-01-26T05:15:11.567