CVE-2019-1883
Published on: 08/21/2019 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:47 PM UTC
CVE-2019-1883 - advisory for cisco-sa-20190821-cimc-cli-inject
Source: Mitre Source: NIST CVE.ORG Print: PDF
Certain versions of Encs 5100 from Cisco contain the following vulnerability:
A vulnerability in the command-line interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow them to obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input on the command-line interface. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow an attacker to execute arbitrary commands on the device with root privileges.
- CVE-2019-1883 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity. - The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected Vendor/Software: Cisco - Cisco Unified Computing System E-Series Software (UCSE) version 3.0(4k)
CVSS3 Score: 7.8 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| LOCAL | LOW | LOW | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 7.2 - HIGH
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| LOCAL | LOW | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| COMPLETE | COMPLETE | COMPLETE |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Cisco Integrated Management Controller CLI Command Injection Vulnerability | Vendor Advisory tools.cisco.com text/html |
CISCO 20190821 Cisco Integrated Management Controller CLI Command Injection Vulnerability |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware
| Cisco | Encs 5100 | - | All | All | All |
| Hardware
| Cisco | Encs 5100 | - | All | All | All |
| Hardware
| Cisco | Encs 5400 | - | All | All | All |
| Hardware
| Cisco | Encs 5400 | - | All | All | All |
| Application | Cisco | Integrated Management Controller Supervisor | All | All | All | All |
| Application | Cisco | Integrated Management Controller Supervisor | All | All | All | All |
| Hardware
| Cisco | Ucs-e1120d-m3 | - | All | All | All |
| Hardware
| Cisco | Ucs-e1120d-m3 | - | All | All | All |
| Hardware
| Cisco | Ucs-e140s-m2 | - | All | All | All |
| Hardware
| Cisco | Ucs-e140s-m2 | - | All | All | All |
| Hardware
| Cisco | Ucs-e160d-m2 | - | All | All | All |
| Hardware
| Cisco | Ucs-e160d-m2 | - | All | All | All |
| Hardware
| Cisco | Ucs-e160s-m3 | - | All | All | All |
| Hardware
| Cisco | Ucs-e160s-m3 | - | All | All | All |
| Hardware
| Cisco | Ucs-e168d-m2 | - | All | All | All |
| Hardware
| Cisco | Ucs-e168d-m2 | - | All | All | All |
| Hardware
| Cisco | Ucs-e180d-m3 | - | All | All | All |
| Hardware
| Cisco | Ucs-e180d-m3 | - | All | All | All |
| Hardware
| Cisco | Ucs C125 M5 | - | All | All | All |
| Hardware
| Cisco | Ucs C125 M5 | - | All | All | All |
| Hardware
| Cisco | Ucs C4200 | - | All | All | All |
| Hardware
| Cisco | Ucs C4200 | - | All | All | All |
| Hardware
| Cisco | Ucs S3260 | - | All | All | All |
| Hardware
| Cisco | Ucs S3260 | - | All | All | All |
| Application | Cisco | Unified Computing System | 4.0(1c)hs3 | All | All | All |
| Application | Cisco | Unified Computing System | 4.0\(1c\)hs3 | All | All | All |
| Application | Cisco | Unified Computing System | 4.0\(1c\)hs3 | All | All | All |
- cpe:2.3:h:cisco:encs_5100:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:encs_5100:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:encs_5400:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:encs_5400:-:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:integrated_management_controller_supervisor:*:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e1120d-m3:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e1120d-m3:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e140s-m2:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e140s-m2:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e160d-m2:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e160d-m2:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e160s-m3:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e160s-m3:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e168d-m2:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e168d-m2:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e180d-m3:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs-e180d-m3:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs_c4200:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs_c4200:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs_s3260:-:*:*:*:*:*:*:*:
- cpe:2.3:h:cisco:ucs_s3260:-:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:unified_computing_system:4.0(1c)hs3:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\)hs3:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE