CVE-2019-1613

EPSS 0.06%
Veröffentlicht 11.03.2019 21:29:00
Zuletzt bearbeitet 21.11.2024 04:36:55
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. MDS 9000 Series Multilayer Switches are affected running software versions prior to 6.2(27) and 8.2(3). Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(6). Nexus 3500 Platform Switches are affected running software versions prior to 6.0(2)A8(11) and 7.0(3)I7(6). Nexus 3600 Platform Switches are affected running software versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I4(9), 7.0(3)I7(6). Nexus 9500 R-Series Line Cards and Fabric Modules are affected running software versions prior to 7.0(3)F3(5). Nexus 7000 and 7700 Series Switches are affected running software versions prior to 6.2(22) and 8.2(3).

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Nx-os Version7.0(3)f3(3)

   Cisco ≫ 9432pq Version-
   Cisco ≫ 9536pq Version-
   Cisco ≫ 9636pq Version-
   Cisco ≫ 9736pq Version-
   Cisco ≫ N9k-x9432c-s Version-
   Cisco ≫ N9k-x9464px Version-
   Cisco ≫ N9k-x9464tx2 Version-
   Cisco ≫ N9k-x9564px Version-
   Cisco ≫ N9k-x9564tx Version-
   Cisco ≫ N9k-x9636c-r Version-
   Cisco ≫ N9k-x9636c-rx Version-
   Cisco ≫ N9k-x97160yc-ex Version-
   Cisco ≫ N9k-x9732c-ex Version-
   Cisco ≫ N9k-x9732c-fx Version-
   Cisco ≫ N9k-x9736c-ex Version-
   Cisco ≫ N9k-x9736c-fx Version-
   Cisco ≫ N9k-x9788tc-fx Version-
   Cisco ≫ Nexus 92160yc-x Version-
   Cisco ≫ Nexus 92300yc Version-
   Cisco ≫ Nexus 92304qc Version-
   Cisco ≫ Nexus 9236c Version-
   Cisco ≫ Nexus 9272q Version-
   Cisco ≫ Nexus 93108tc-ex Version-
   Cisco ≫ Nexus 93108tc-fx Version-
   Cisco ≫ Nexus 93120tx Version-
   Cisco ≫ Nexus 9316d-gx Version-
   Cisco ≫ Nexus 93180lc-ex Version-
   Cisco ≫ Nexus 93180yc-ex Version-
   Cisco ≫ Nexus 93180yc-fx Version-
   Cisco ≫ Nexus 93240yc-fx2 Version-
   Cisco ≫ Nexus 9332c Version-
   Cisco ≫ Nexus 9336c-fx2 Version-
   Cisco ≫ Nexus 9348gc-fxp Version-
   Cisco ≫ Nexus 93600cd-gx Version-
   Cisco ≫ Nexus 9364c Version-
   Cisco ≫ Nexus 9504 Version-
   Cisco ≫ Nexus 9508 Version-
   Cisco ≫ Nexus 9516 Version-
   Cisco ≫ X9636q-r Version-

Cisco ≫ Nx-os Version7.0(3)i7(2)

Cisco ≫ Nx-os Version9.2(1)

   Cisco ≫ N3k-c31128pq-10ge Version-
   Cisco ≫ N3k-c3132c-z Version-
   Cisco ≫ N3k-c3164q-40ge Version-
   Cisco ≫ N3k-c3264q Version-

Cisco ≫ Nx-os Version7.0(3)i7(2)

   Cisco ≫ N77-f312ck-26 Version-
   Cisco ≫ N77-f324fq-25 Version-
   Cisco ≫ N77-f348xp-23 Version-
   Cisco ≫ N77-f430cq-36 Version-
   Cisco ≫ N77-m312cq-26l Version-
   Cisco ≫ N77-m324fq-25l Version-
   Cisco ≫ N77-m348xp-23l Version-
   Cisco ≫ N7k-f248xp-25e Version-
   Cisco ≫ N7k-f306ck-25 Version-
   Cisco ≫ N7k-f312fq-25 Version-
   Cisco ≫ N7k-m202cf-22l Version-
   Cisco ≫ N7k-m206fq-23l Version-
   Cisco ≫ N7k-m224xp-23l Version-
   Cisco ≫ N7k-m324fq-25l Version-
   Cisco ≫ N7k-m348xp-25l Version-

Cisco ≫ Nx-os Version8.2(1)

Cisco ≫ Nx-os Version9.2(2)

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.157

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
psirt@cisco.com	4.2	0.8	3.4	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

http://www.securityfocus.com/bid/107392

Third Party Advisory

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-cmdinj-1613

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1613

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1613

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1613

EUVD