Details of VAR-202009-0480

ID

VAR-202009-0480

CVE

CVE-2019-16017

TITLE

Cisco Unified Customer Voice Portal Input confirmation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-016030

DESCRIPTION

A vulnerability in the Operations, Administration, Maintenance and Provisioning (OAMP) OpsConsole Server for Cisco Unified Customer Voice Portal (CVP) could allow an authenticated, remote attacker to execute Insecure Direct Object Reference actions on specific pages within the OAMP application. The vulnerability is due to insufficient input validation on specific pages of the OAMP application. An attacker could exploit this vulnerability by authenticating to Cisco Unified CVP and sending crafted HTTP requests. A successful exploit could allow an attacker with administrator or read-only privileges to learn information outside of their expected scope. An attacker with administrator privileges could modify certain configuration details of resources outside of their defined scope, which could result in a denial of service (DoS) condition. Cisco Unified Customer Voice Portal (CVP) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state

Trust: 1.71

sources: NVD: CVE-2019-16017 // JVNDB: JVNDB-2019-016030 // VULHUB: VHN-148121

AFFECTED PRODUCTS

vendor:	cisco	model:	unified customer voice portal	scope:	lt	version:	12.0\(1\)_es-7	Trust: 1.0
vendor:	cisco	model:	unified customer voice portal	scope:	lt	version:	11.6\(1\)_es-11	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco unified customer voice portal	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-016030 // NVD: CVE-2019-16017

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-16017
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-16017
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-16017
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202001-235
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-148121
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-16017
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-148121
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-16017
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	4.0
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-16017
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	4.0
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-148121 // JVNDB: JVNDB-2019-016030 // CNNVD: CNNVD-202001-235 // NVD: CVE-2019-16017 // NVD: CVE-2019-16017

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.1
problemtype:	CWE-264	Trust: 1.0
problemtype:	Incorrect input confirmation (CWE-20) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-148121 // JVNDB: JVNDB-2019-016030 // NVD: CVE-2019-16017

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-235

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202001-235

PATCH

title:	cisco-sa-20200108-cvp-direct-obj-ref	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-cvp-direct-obj-ref	Trust: 0.8
title:	Cisco Unified Customer Voice Portal Software Operations, Administration, Maintenance and Provisioning OpsConsole Server Fixes for permissions and access control issues vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108348	Trust: 0.6

sources: JVNDB: JVNDB-2019-016030 // CNNVD: CNNVD-202001-235

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16017	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-016030	Trust: 0.8
db:	CNNVD	id:	CNNVD-202001-235	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.0092	Trust: 0.6
db:	CNVD	id:	CNVD-2020-03718	Trust: 0.1
db:	VULHUB	id:	VHN-148121	Trust: 0.1

sources: VULHUB: VHN-148121 // JVNDB: JVNDB-2019-016030 // CNNVD: CNNVD-202001-235 // NVD: CVE-2019-16017

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200108-cvp-direct-obj-ref	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16017	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.0092/	Trust: 0.6

sources: VULHUB: VHN-148121 // JVNDB: JVNDB-2019-016030 // CNNVD: CNNVD-202001-235 // NVD: CVE-2019-16017

SOURCES

db:	VULHUB	id:	VHN-148121
db:	JVNDB	id:	JVNDB-2019-016030
db:	CNNVD	id:	CNNVD-202001-235
db:	NVD	id:	CVE-2019-16017

LAST UPDATE DATE

2024-08-14T15:22:33.557000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148121	date:	2020-10-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-016030	date:	2021-04-14T08:55:00
db:	CNNVD	id:	CNNVD-202001-235	date:	2020-10-09T00:00:00
db:	NVD	id:	CVE-2019-16017	date:	2020-10-05T16:51:57.047

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148121	date:	2020-09-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-016030	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202001-235	date:	2020-01-08T00:00:00
db:	NVD	id:	CVE-2019-16017	date:	2020-09-23T01:15:13.770