CVE-2019-12674

EPSS 0.03%
Published 02.10.2019 19:15:12
Last modified 21.11.2024 04:23:19
Source psirt@cisco.com
Teams watchlist Login
Open Login

Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances.

Affected products Warnungen 0 Metrics 4 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Firepower Threat Defense Version < 6.4.0.2

Cisco ≫ Firepower 9300 Firmware Version-

Cisco ≫ Firepower 9300 Version-

Cisco ≫ Firepower 4115 Firmware Version-

Cisco ≫ Firepower 4115 Version-

Cisco ≫ Firepower 4125 Firmware Version-

Cisco ≫ Firepower 4125 Version-

Cisco ≫ Firepower 4145 Firmware Version-

Cisco ≫ Firepower 4145 Version-

Cisco ≫ Firepower 4110 Firmware Version-

Cisco ≫ Firepower 4110 Version-

Cisco ≫ Firepower 4120 Firmware Version-

Cisco ≫ Firepower 4120 Version-

Cisco ≫ Firepower 4140 Firmware Version-

Cisco ≫ Firepower 4140 Version-

Cisco ≫ Firepower 4150 Firmware Version-

Cisco ≫ Firepower 4150 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.046

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.2	1.5	6	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
psirt@cisco.com	8.2	1.5	6	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-216 DEPRECATED: Containment Errors (Container Errors)

This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-ftd-container-esc

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-12674

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-12674

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-12674

EUVD