CVE-2019-1727

EPSS 0.13%
Published 15.05.2019 17:29:01
Last modified 21.11.2024 04:37:11
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the Python scripting subsystem of Cisco NX-OS Software could allow an authenticated, local attacker to escape the Python parser and issue arbitrary commands to elevate the attacker's privilege level. The vulnerability is due to insufficient sanitization of user-supplied parameters that are passed to certain Python functions in the scripting sandbox of the affected device. An attacker could exploit this vulnerability to escape the scripting sandbox and execute arbitrary commands to elevate the attacker's privilege level. To exploit this vulnerability, the attacker must have local access and be authenticated to the targeted device with administrative or Python execution privileges. These requirements could limit the possibility of a successful exploit.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Nx-os Version >= 5.2 < 8.1\(1b\)

   Cisco ≫ Mds 9000 Version-
   Cisco ≫ Mds 9100 Version-
   Cisco ≫ Mds 9200 Version-
   Cisco ≫ Mds 9500 Version-
   Cisco ≫ Mds 9700 Version-

Cisco ≫ Nx-os Version >= 8.2 < 8.3\(1\)

   Cisco ≫ Mds 9000 Version-
   Cisco ≫ Mds 9100 Version-
   Cisco ≫ Mds 9200 Version-
   Cisco ≫ Mds 9500 Version-
   Cisco ≫ Mds 9700 Version-

Cisco ≫ Nx-os Version >= 7.0\(3\)i4 < 7.0\(3\)i4\(8\)

   Cisco ≫ Nexus 3000 Version-
   Cisco ≫ Nexus 3100 Version-
   Cisco ≫ Nexus 3100-z Version-
   Cisco ≫ Nexus 3100v Version-
   Cisco ≫ Nexus 3200 Version-
   Cisco ≫ Nexus 3400 Version-
   Cisco ≫ Nexus 3500 Version-
   Cisco ≫ Nexus 3524-x Version-
   Cisco ≫ Nexus 3524-xl Version-
   Cisco ≫ Nexus 3548-x Version-
   Cisco ≫ Nexus 3548-xl Version-
   Cisco ≫ Nexus 3600 Version-
   Cisco ≫ Nexus 9000 Version-
   Cisco ≫ Nexus 9200 Version-
   Cisco ≫ Nexus 9300 Version-
   Cisco ≫ Nexus 9500 Version-

Cisco ≫ Nx-os Version >= 7.0\(3\)i5 < 7.0\(3\)i7\(3\)

Cisco ≫ Nx-os Version >= 7.3 < 7.3\(4\)n1\(1\)

   Cisco ≫ Nexus 5500 Version-
   Cisco ≫ Nexus 5600 Version-
   Cisco ≫ Nexus 6000 Version-

Cisco ≫ Nx-os Version >= 6.2 < 7.3\(3\)d1\(1\)

Cisco ≫ Nexus 7000 Version-
Cisco ≫ Nexus 7700 Version-

Cisco ≫ Nx-os Version >= 8.0 < 8.3\(1\)

Cisco ≫ Nexus 7000 Version-
Cisco ≫ Nexus 7700 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.297

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
psirt@cisco.com	4.2	0.8	3.4	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://www.securityfocus.com/bid/108341

Third Party Advisory

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-pyth-escal

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1727

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1727

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1727

EUVD