CVE-2019-1837

A vulnerability in the User Data Services (UDS) API of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the management GUI. The vulnerability is due to improper validation of input parameters in the UDS API requests. An attacker could exploit this vulnerability by sending a crafted request to the UDS API of an affected device. A successful exploit could allow the attacker to make the A Cisco DB service quit unexpectedly, preventing admin access to the Unified CM management GUI. Manual intervention may be required to restore normal operation. Software versions 10.5, 11.5, 12.0, 12.5 are affected.

CVSS v3 7.5 HIGH
CVSS v2.0 7.8 HIGH

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.8^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:C

Exploitability : 10.0 / Impact : 6.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/108019	Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-ucm-dos	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:unified_communications_manager:10.5\(2.10000.5\):::::::*
	cpe:2.3:a:cisco:unified_communications_manager:11.5\(1.10000.6\):::::::*
	cpe:2.3:a:cisco:unified_communications_manager:12.0\(1.10000.10\):::::::*
	cpe:2.3:a:cisco:unified_communications_manager:12.5\(1.10000.22\):::::::*

History

No history.

Information

Published : 2019-04-18 02:29

Updated : 2024-02-04 20:20

NVD link : CVE-2019-1837

Mitre link : CVE-2019-1837

CVE.ORG link : CVE-2019-1837

JSON object : View

Products Affected

cisco

unified_communications_manager

CWE

CWE-20

Improper Input Validation

CWE-129

Improper Validation of Array Index

{"id": "CVE-2019-1837", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2019-04-18T02:29:05.997", "references": [{"url": "http://www.securityfocus.com/bid/108019", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-ucm-dos", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-129"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the User Data Services (UDS) API of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the management GUI. The vulnerability is due to improper validation of input parameters in the UDS API requests. An attacker could exploit this vulnerability by sending a crafted request to the UDS API of an affected device. A successful exploit could allow the attacker to make the A Cisco DB service quit unexpectedly, preventing admin access to the Unified CM management GUI. Manual intervention may be required to restore normal operation. Software versions 10.5, 11.5, 12.0, 12.5 are affected."}, {"lang": "es", "value": "Una vulnerabilidad en la API de servicios de datos de usuario (UDS) de Unified Communications Manager (Unified CM) de Cisco podr\u00eda permitir que un atacante remoto no autenticado cause una condici\u00f3n de denegaci\u00f3n de servicio (DoS) en la GUI de administraci\u00f3n. La vulnerabilidad es debido a la comprobaci\u00f3n inapropiada de los par\u00e1metros de entrada en las peticiones de la API de UDS. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n creada a la API de UDS de un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante hacer que el servicio A Cisco DB se cierre inesperadamente, impidiendo el acceso del administrador a la GUI de administraci\u00f3n del Unified CM Puede requerirse intervenci\u00f3n manual para restablecer el funcionamiento normal. Las versiones de software 10.5, 11.5, 12.0, 12.5 est\u00e1n impactadas"}], "lastModified": "2019-10-09T23:48:17.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:unified_communications_manager:10.5\\(2.10000.5\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "520555C7-5E9B-4C76-AAB5-5DD8B29D18F0"}, {"criteria": "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.10000.6\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21BFC3A9-B6B1-49EE-A93A-6432BFE33E84"}, {"criteria": "cpe:2.3:a:cisco:unified_communications_manager:12.0\\(1.10000.10\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BA185BB-D78F-4F4E-B248-9AF550F0C4E0"}, {"criteria": "cpe:2.3:a:cisco:unified_communications_manager:12.5\\(1.10000.22\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEEEA592-F8A1-41F2-B152-87F0A9B6087E"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}