CVE-2019-1984

A vulnerability in Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite files on the underlying operating system (OS) of an affected device. The vulnerability is due to improper input validation in an NFVIS file-system command. An attacker could exploit this vulnerability by using crafted variables during the execution of an affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying OS.

CVSS v3 6.5 MEDIUM
CVSS v2.0 5.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:P

Exploitability : 8.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-nfv-filewrite	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:enterprise_network_function_virtualization_infrastructure_sofware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-08-21 19:15

Updated : 2024-02-04 20:20

NVD link : CVE-2019-1984

Mitre link : CVE-2019-1984

CVE.ORG link : CVE-2019-1984

JSON object : View

Products Affected

cisco

enterprise_network_function_virtualization_infrastructure_sofware

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2019-1984", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2019-08-21T19:15:15.670", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-nfv-filewrite", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite files on the underlying operating system (OS) of an affected device. The vulnerability is due to improper input validation in an NFVIS file-system command. An attacker could exploit this vulnerability by using crafted variables during the execution of an affected command. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying OS."}, {"lang": "es", "value": "Una vulnerabilidad en el software de infraestructura de virtualizaci\u00f3n de funciones de red de Cisco Enterprise (NFVIS) podr\u00eda permitir que un atacante remoto autorizado con privilegios de administrador sobrescriba archivos en el sistema operativo (SO) subyacente de un dispositivo afectado. La vulnerabilidad se debe a una validaci\u00f3n de entrada incorrecta en un comando del sistema de archivos NFVIS. Un atacante podr\u00eda aprovechar esta vulnerabilidad mediante el uso de variables especialmente dise\u00f1adas durante la ejecuci\u00f3n de un comando afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante sobrescribir archivos arbitrarios en el sistema operativo subyacente."}], "lastModified": "2019-10-09T23:48:44.897", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:enterprise_network_function_virtualization_infrastructure_sofware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98C316C8-4B40-4166-A9A4-B40CF76DD527", "versionEndExcluding": "3.12.1"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}