Details of VAR-201905-0595

ID

VAR-201905-0595

CVE

CVE-2019-1857

TITLE

Cisco HyperFlex HX-Series Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2019-003901

DESCRIPTION

A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system by using a web browser and with the privileges of the user. Cisco HyperFlex HX-Series Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCvk59399. Cisco HyperFlex HX-Series is a distributed file system of Cisco (Cisco). The system supports multiple hypervisors and primarily provides enterprise-level data management and optimization services. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user

Trust: 1.98

sources: NVD: CVE-2019-1857 // JVNDB: JVNDB-2019-003901 // BID: 108163 // VULHUB: VHN-150929

AFFECTED PRODUCTS

vendor:	cisco	model:	hx220c all nvme m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hx220c af m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hx240c m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	ucs b200 m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	ucs c240 m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	ucs c480 ml	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hx240c large form factor	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hx220c edge m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hx220c m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hx240c af m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	ucs c220 m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	ucs c125 m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	ucs c480 m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	ucs b480 m5	scope:	eq	version:	3.0\(1a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx220c edge m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx220c m5 all flash	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx220c m5 all nvme	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx220c m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx240c m5 all flash	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx240c m5 large form-factor	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx240c m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ucs b200 m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ucs b480 m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ucs c480 m5	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	hyperflex hx-series 3.0	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	hyperflex hx-series 4.0	scope:	ne	version:	-	Trust: 0.3

sources: BID: 108163 // JVNDB: JVNDB-2019-003901 // NVD: CVE-2019-1857

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1857
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1857
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1857
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201905-049
value:	HIGH
Trust: 0.6
VULHUB:	VHN-150929
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-1857
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-150929
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1857
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
ykramarz@cisco.com:	CVE-2019-1857
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-150929 // JVNDB: JVNDB-2019-003901 // CNNVD: CNNVD-201905-049 // NVD: CVE-2019-1857 // NVD: CVE-2019-1857

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-150929 // JVNDB: JVNDB-2019-003901 // NVD: CVE-2019-1857

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-049

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201905-049

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003901

PATCH

title:	cisco-sa-20190501-hyperflex-csrf	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-hyperflex-csrf	Trust: 0.8
title:	Cisco HyperFlex HX-Series Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92192	Trust: 0.6

sources: JVNDB: JVNDB-2019-003901 // CNNVD: CNNVD-201905-049

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1857	Trust: 2.8
db:	BID	id:	108163	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-003901	Trust: 0.8
db:	CNNVD	id:	CNNVD-201905-049	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.1533	Trust: 0.6
db:	VULHUB	id:	VHN-150929	Trust: 0.1

sources: VULHUB: VHN-150929 // BID: 108163 // JVNDB: JVNDB-2019-003901 // CNNVD: CNNVD-201905-049 // NVD: CVE-2019-1857

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-hyperflex-csrf	Trust: 2.6
url:	http://www.securityfocus.com/bid/108163	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1857	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1857	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/80170	Trust: 0.6

sources: VULHUB: VHN-150929 // BID: 108163 // JVNDB: JVNDB-2019-003901 // CNNVD: CNNVD-201905-049 // NVD: CVE-2019-1857

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 108163

SOURCES

db:	VULHUB	id:	VHN-150929
db:	BID	id:	108163
db:	JVNDB	id:	JVNDB-2019-003901
db:	CNNVD	id:	CNNVD-201905-049
db:	NVD	id:	CVE-2019-1857

LAST UPDATE DATE

2024-11-23T22:58:40.584000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-150929	date:	2019-05-06T00:00:00
db:	BID	id:	108163	date:	2019-05-01T00:00:00
db:	JVNDB	id:	JVNDB-2019-003901	date:	2019-05-23T00:00:00
db:	CNNVD	id:	CNNVD-201905-049	date:	2019-05-14T00:00:00
db:	NVD	id:	CVE-2019-1857	date:	2024-11-21T04:37:32.597

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-150929	date:	2019-05-03T00:00:00
db:	BID	id:	108163	date:	2019-05-01T00:00:00
db:	JVNDB	id:	JVNDB-2019-003901	date:	2019-05-23T00:00:00
db:	CNNVD	id:	CNNVD-201905-049	date:	2019-05-01T00:00:00
db:	NVD	id:	CVE-2019-1857	date:	2019-05-03T17:29:01.437