CVE-2019-1896
Summary
| CVE | CVE-2019-1896 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-08-21 19:15:00 UTC |
| Updated | 2023-03-31 15:57:00 UTC |
| Description | A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands and obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input in the Certificate Signing Request (CSR) function of the web-based management interface. An attacker could exploit this vulnerability by submitting a crafted CSR in the web-based management interface. A successful exploit could allow an attacker with administrator privileges to execute arbitrary commands on the device with full root privileges. |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Cisco | Encs 5100 | - | All | All | All |
| Hardware | Cisco | Encs 5100 | - | All | All | All |
| Hardware | Cisco | Encs 5400 | - | All | All | All |
| Hardware | Cisco | Encs 5400 | - | All | All | All |
| Application | Cisco | Integrated Management Controller Supervisor | All | All | All | All |
| Application | Cisco | Integrated Management Controller Supervisor | All | All | All | All |
| Hardware | Cisco | Ucs-e1120d-m3 | - | All | All | All |
| Hardware | Cisco | Ucs-e1120d-m3 | - | All | All | All |
| Hardware | Cisco | Ucs-e140s-m2 | - | All | All | All |
| Hardware | Cisco | Ucs-e140s-m2 | - | All | All | All |
| Hardware | Cisco | Ucs-e160d-m2 | - | All | All | All |
| Hardware | Cisco | Ucs-e160d-m2 | - | All | All | All |
| Hardware | Cisco | Ucs-e160s-m3 | - | All | All | All |
| Hardware | Cisco | Ucs-e160s-m3 | - | All | All | All |
| Hardware | Cisco | Ucs-e168d-m2 | - | All | All | All |
| Hardware | Cisco | Ucs-e168d-m2 | - | All | All | All |
| Hardware | Cisco | Ucs-e180d-m3 | - | All | All | All |
| Hardware | Cisco | Ucs-e180d-m3 | - | All | All | All |
| Hardware | Cisco | Ucs C125 M5 | - | All | All | All |
| Hardware | Cisco | Ucs C125 M5 | - | All | All | All |
| Hardware | Cisco | Ucs C4200 | - | All | All | All |
| Hardware | Cisco | Ucs C4200 | - | All | All | All |
| Hardware | Cisco | Ucs S3260 | - | All | All | All |
| Hardware | Cisco | Ucs S3260 | - | All | All | All |
| Application | Cisco | Unified Computing System | 4.0(1c)hs3 | All | All | All |
| Application | Cisco | Unified Computing System | 4.0\(1c\)hs3 | All | All | All |
| Application | Cisco | Unified Computing System | 4.0\(1c\)hs3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Cisco Integrated Management Controller CSR Generation Command Injection Vulnerability | CISCO | tools.cisco.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.