CVE-2019-1614

EPSS 1.9%
Veröffentlicht 11.03.2019 21:29:00
Zuletzt bearbeitet 21.11.2024 04:36:55
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to incorrect input validation of user-supplied data by the NX-API subsystem. An attacker could exploit this vulnerability by sending malicious HTTP or HTTPS packets to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to perform a command-injection attack and execute arbitrary commands with root privileges. Note: NX-API is disabled by default. MDS 9000 Series Multilayer Switches are affected running software versions prior to 8.1(1b) and 8.2(3). Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 3500 Platform Switches are affected running software versions prior to 7.0(3)I7(4). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected running software versions prior to 7.3(4)N1(1). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 7000 and 7700 Series Switches are affected running software versions prior to 7.3(3)D1(1) and 8.2(3).

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Nx-os Version >= 8.2 < 8.3\(2\)

Cisco ≫ Mds 9000 Version-

Cisco ≫ Nx-os Version >= 7.3 < 8.1\(1b\)

Cisco ≫ Mds 9000 Version-

Cisco ≫ Nx-os Version >= 7.0\(3\)i5 < 7.0\(3\)i7\(4\)

Cisco ≫ Nexus 3000 Version-

Cisco ≫ Nx-os Version < 7.0\(3\)i4\(9\)

Cisco ≫ Nexus 3000 Version-

Cisco ≫ Nx-os Version >= 7.0\(3\) < 7.0\(3\)i7\(4\)

Cisco ≫ Nexus 3500 Version-

Cisco ≫ Nx-os Version >= 7.3 < 7.3\(4\)n1\(1\)

   Cisco ≫ Nexus 2000 Version-
   Cisco ≫ Nexus 5500 Version-
   Cisco ≫ Nexus 5600 Version-
   Cisco ≫ Nexus 6000 Version-

Cisco ≫ Nx-os Version >= 8.3 < 8.3\(2\)

Cisco ≫ Nexus 7000 Version-
Cisco ≫ Nexus 7700 Version-

Cisco ≫ Nx-os Version >= 8.0 < 8.2\(3\)

Cisco ≫ Nexus 7000 Version-
Cisco ≫ Nexus 7700 Version-

Cisco ≫ Nx-os Version >= 7.2 < 7.3\(3\)d1\(1\)

Cisco ≫ Nexus 7000 Version-
Cisco ≫ Nexus 7700 Version-

Cisco ≫ Nx-os Version < 7.3\(3\)i4\(9\)

Cisco ≫ Nexus 9000 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.9%	0.824

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C
psirt@cisco.com	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://www.securityfocus.com/bid/107339

Third Party Advisory

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-NXAPI-cmdinj

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1614

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1614

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1614

EUVD