CVE-2019-1850 - NVD | ByteOS Network

NVD Vulnerability Details :

CVE-2019-1850

Modified

More Info Official Page

Source-ykramarz@cisco.com

Published At-21 Aug, 2019 | 19:15

Updated At-09 Oct, 2019 | 23:48

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. An attacker would need to have valid administrator credentials on the device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker with elevated privileges could exploit this vulnerability by sending crafted commands to the administrative web management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device.

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	7.2	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Secondary	3.0	7.2	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary	2.0	9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C

CPE Matches

Cisco Systems, Inc.

>>unified_computing_system>>4.0\(1c\)hs3

cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>integrated_management_controller_supervisor>>Versions from 3.0.0.0(inclusive) to 3.0\(4k\)(exclusive)

cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>integrated_management_controller_supervisor>>Versions from 4.0.0.0(inclusive) to 4.0\(4b\)(exclusive)

cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*

Cisco Systems, Inc.

cpe:2.3:h:cisco:encs_5100:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

cpe:2.3:h:cisco:encs_5400:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e1120d-m3>>-

cpe:2.3:h:cisco:ucs-e1120d-m3:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e140s-m2>>-

cpe:2.3:h:cisco:ucs-e140s-m2:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e160d-m2>>-

cpe:2.3:h:cisco:ucs-e160d-m2:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e160s-m3>>-

cpe:2.3:h:cisco:ucs-e160s-m3:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e168d-m2>>-

cpe:2.3:h:cisco:ucs-e168d-m2:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e180d-m3>>-

cpe:2.3:h:cisco:ucs-e180d-m3:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs_c125_m5>>-

cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

cpe:2.3:h:cisco:ucs_c4200:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

cpe:2.3:h:cisco:ucs_s3260:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>integrated_management_controller_supervisor>>Versions from 4.0.0.0(inclusive) to 4.0\(2f\)(exclusive)

cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*

Cisco Systems, Inc.

cpe:2.3:h:cisco:encs_5100:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

cpe:2.3:h:cisco:encs_5400:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e1120d-m3>>-

cpe:2.3:h:cisco:ucs-e1120d-m3:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e140s-m2>>-

cpe:2.3:h:cisco:ucs-e140s-m2:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e160d-m2>>-

cpe:2.3:h:cisco:ucs-e160d-m2:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e160s-m3>>-

cpe:2.3:h:cisco:ucs-e160s-m3:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e168d-m2>>-

cpe:2.3:h:cisco:ucs-e168d-m2:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs-e180d-m3>>-

cpe:2.3:h:cisco:ucs-e180d-m3:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>ucs_c125_m5>>-

cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

cpe:2.3:h:cisco:ucs_c4200:-:*:*:*:*:*:*:*

Cisco Systems, Inc.

cpe:2.3:h:cisco:ucs_s3260:-:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-78	Primary	nvd@nist.gov
CWE-78	Secondary	ykramarz@cisco.com

References

Hyperlink	Source	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1850	ykramarz@cisco.com	Vendor Advisory