Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2019-1885

Опубликовано: 21 авг. 2019
Источник: nvd
CVSS3: 7.2
CVSS3: 7.2
CVSS2: 9
EPSS Низкий

Описание

A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending crafted authenticated commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary commands on an affected device with root privileges.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:*:*:*:*:*:*:*
Конфигурация 2

Одновременно

Одно из

cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*
Версия от 3.0.0.0 (включая) до 3.0\(4k\) (исключая)
cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*
Версия от 4.0.0.0 (включая) до 4.0\(4b\) (исключая)

Одно из

cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:ucs_c4200:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:ucs_s3260:-:*:*:*:*:*:*:*
Конфигурация 3

Одновременно

cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*
Версия от 4.0.0.0 (включая) до 4.0\(2f\) (исключая)

Одно из

cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:ucs_c4200:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:ucs_s3260:-:*:*:*:*:*:*:*

EPSS

Процентиль: 76%
0.00958
Низкий

7.2 High

CVSS3

7.2 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-78
CWE-78

Связанные уязвимости

github логотип

GHSA-hfhw-2r7f-rrr3

CVSS3: 7.2
github
больше 3 лет назад

A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending crafted authenticated commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary commands on an affected device with root privileges.

EPSS

Процентиль: 76%
0.00958
Низкий

7.2 High

CVSS3

7.2 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-78
CWE-78