Details of VAR-202009-0479

ID

VAR-202009-0479

CVE

CVE-2019-16009

TITLE

Cisco IOS and IOS XE Cross-site request forgery vulnerability in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-016016

DESCRIPTION

A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. Both Cisco IOS and IOS XE are a set of operating systems developed by Cisco for its network equipment

Trust: 1.8

sources: NVD: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // VULHUB: VHN-148112 // VULMON: CVE-2019-16009

AFFECTED PRODUCTS

vendor:	cisco	model:	ios	scope:	lt	version:	16.1.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	lt	version:	16.1.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco ios	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco ios	scope:	eq	version:	xe	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco ios xe	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-016016 // NVD: CVE-2019-16009

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-16009
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-16009
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-16009
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202001-242
value:	HIGH
Trust: 0.6
VULHUB:	VHN-148112
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-16009
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-16009
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-148112
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-16009
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-16009
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-148112 // VULMON: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // CNNVD: CNNVD-202001-242 // NVD: CVE-2019-16009 // NVD: CVE-2019-16009

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.1
problemtype:	Cross-site request forgery (CWE-352) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-148112 // JVNDB: JVNDB-2019-016016 // NVD: CVE-2019-16009

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-242

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202001-242

PATCH

title:	cisco-sa-20200108-ios-csrf	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ios-csrf	Trust: 0.8
title:	Cisco IOS and Cisco IOS XE Software Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108350	Trust: 0.6
title:	Cisco: Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20200108-ios-csrf	Trust: 0.1
title:	The Register	url:	https://www.theregister.co.uk/2020/01/10/cisco_january_patches/	Trust: 0.1

sources: VULMON: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // CNNVD: CNNVD-202001-242

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16009	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-016016	Trust: 0.8
db:	CNNVD	id:	CNNVD-202001-242	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.1534	Trust: 0.6
db:	CNVD	id:	CNVD-2020-03723	Trust: 0.1
db:	VULHUB	id:	VHN-148112	Trust: 0.1
db:	VULMON	id:	CVE-2019-16009	Trust: 0.1

sources: VULHUB: VHN-148112 // VULMON: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // CNNVD: CNNVD-202001-242 // NVD: CVE-2019-16009

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200108-ios-csrf	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16009	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.1534/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-ios-ios-xe-cross-site-request-forgery-via-web-ui-31283	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-148112 // VULMON: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // CNNVD: CNNVD-202001-242 // NVD: CVE-2019-16009

CREDITS

Mehmet Onder Key.

Trust: 0.6

sources: CNNVD: CNNVD-202001-242

SOURCES

db:	VULHUB	id:	VHN-148112
db:	VULMON	id:	CVE-2019-16009
db:	JVNDB	id:	JVNDB-2019-016016
db:	CNNVD	id:	CNNVD-202001-242
db:	NVD	id:	CVE-2019-16009

LAST UPDATE DATE

2024-08-14T14:44:44.737000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148112	date:	2020-09-28T00:00:00
db:	VULMON	id:	CVE-2019-16009	date:	2020-09-28T00:00:00
db:	JVNDB	id:	JVNDB-2019-016016	date:	2021-04-05T09:07:00
db:	CNNVD	id:	CNNVD-202001-242	date:	2020-09-29T00:00:00
db:	NVD	id:	CVE-2019-16009	date:	2020-09-28T19:26:16.847

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148112	date:	2020-09-23T00:00:00
db:	VULMON	id:	CVE-2019-16009	date:	2020-09-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-016016	date:	2021-04-05T00:00:00
db:	CNNVD	id:	CNNVD-202001-242	date:	2020-01-08T00:00:00
db:	NVD	id:	CVE-2019-16009	date:	2020-09-23T01:15:13.707