CVE-2019-1883

Current Description

A vulnerability in the command-line interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow them to obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input on the command-line interface. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow an attacker to execute arbitrary commands on the device with root privileges.

Basic Data

Published	August 21, 2019
Last Modified	October 09, 2019
Assigner	cve@mitre.org
Data Type	CVE
Data Format	MITRE
Data Version	4.0
Problem Type	CWE-78
CVE Data Version	4.0

Base Metric V2

CVSS 2 - Version	2.0
CVSS 2 - Vector String	AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS 2 - Access Vector	LOCAL
CVSS 2 - Access Complexity	LOW
CVSS 2 - Authentication	NONE
CVSS 2 - Confidentiality Impact	COMPLETE
CVSS 2 - Availability Impact	COMPLETE
CVSS 2 - Base Score	7.2
Severity	HIGH
Exploitability Score	3.9
Impact Score	10.0
Obtain All Privilege	false
Obtain User Privilege	false
Obtain Other Privilege	false

Base Metric V3

CVSS 3 - Version	3.0
CVSS 3 - Vector String	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 3 - Attack Vector	LOCAL
CVSS 3 - Attack Complexity	LOW
CVSS 3 - Privileges Required	LOW
CVSS 3 - User Interaction	NONE
CVSS 3 - Scope	UNCHANGED
CVSS 3 - Confidentiality Impact	HIGH
CVSS 3 - Integrity Impact	HIGH
CVSS 3 - Availability Impact	HIGH
CVSS 3 - Base Score	7.8
CVSS 3 - Base Severity	HIGH
Exploitability Score	1.8
Base Severity	HIGH

Configurations

Vulnerable Software List

Vendor	Product	Versions
Cisco	Integrated Management Controller Supervisor	*
Cisco	Unified Computing System	4.0(1c)hs3

References