Details of VAR-201907-0860

ID

VAR-201907-0860

CVE

CVE-2019-1917

TITLE

Cisco Vision Dynamic Signage Director Vulnerabilities in authentication

Trust: 0.8

sources: JVNDB: JVNDB-2019-006931

DESCRIPTION

A vulnerability in the REST API interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on the affected system. The REST API is enabled by default and cannot be disabled. This may lead to further attacks. This issue is being tracked by Cisco bug ID CSCvo52767

Trust: 1.98

sources: NVD: CVE-2019-1917 // JVNDB: JVNDB-2019-006931 // BID: 109301 // VULHUB: VHN-151589

AFFECTED PRODUCTS

vendor:	cisco	model:	vision dynamic signage director	scope:	lte	version:	5.0	Trust: 1.0
vendor:	cisco	model:	vision dynamic signage director	scope:	eq	version:	6.1	Trust: 1.0
vendor:	cisco	model:	vision dynamic signage director	scope:	lte	version:	6.1	Trust: 1.0
vendor:	cisco	model:	vision dynamic signage director	scope:	gte	version:	6.0	Trust: 1.0
vendor:	cisco	model:	vision dynamic signage director	scope:	eq	version:	5.0	Trust: 1.0
vendor:	cisco	model:	vision dynamic signage director	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vision dynamic signage director software	scope:	eq	version:	6.1	Trust: 0.3
vendor:	cisco	model:	vision dynamic signage director software	scope:	eq	version:	6.0	Trust: 0.3
vendor:	cisco	model:	vision dynamic signage director software	scope:	eq	version:	5.0	Trust: 0.3
vendor:	cisco	model:	vision dynamic signage director software	scope:	ne	version:	6.2	Trust: 0.3
vendor:	cisco	model:	vision dynamic signage director software sp3	scope:	ne	version:	6.1	Trust: 0.3
vendor:	cisco	model:	vision dynamic signage director software sp9	scope:	ne	version:	5.0	Trust: 0.3

sources: BID: 109301 // JVNDB: JVNDB-2019-006931 // NVD: CVE-2019-1917

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1917
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1917
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-1917
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201907-1030
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-151589
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1917
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-151589
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1917
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8
ykramarz@cisco.com:	CVE-2019-1917
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-151589 // JVNDB: JVNDB-2019-006931 // CNNVD: CNNVD-201907-1030 // NVD: CVE-2019-1917 // NVD: CVE-2019-1917

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-151589 // JVNDB: JVNDB-2019-006931 // NVD: CVE-2019-1917

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-1030

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201907-1030

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006931

PATCH

title:	cisco-sa-20190717-cvdsd-wmauth	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-cvdsd-wmauth	Trust: 0.8
title:	Cisco Vision Dynamic Signage Director Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95313	Trust: 0.6

sources: JVNDB: JVNDB-2019-006931 // CNNVD: CNNVD-201907-1030

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1917	Trust: 2.8
db:	BID	id:	109301	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-006931	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-1030	Trust: 0.7
db:	NSFOCUS	id:	43834	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2682	Trust: 0.6
db:	VULHUB	id:	VHN-151589	Trust: 0.1

sources: VULHUB: VHN-151589 // BID: 109301 // JVNDB: JVNDB-2019-006931 // CNNVD: CNNVD-201907-1030 // NVD: CVE-2019-1917

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190717-cvdsd-wmauth	Trust: 2.0
url:	http://www.securityfocus.com/bid/109301	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1917	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1917	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/43834	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2682/	Trust: 0.6

sources: VULHUB: VHN-151589 // BID: 109301 // JVNDB: JVNDB-2019-006931 // CNNVD: CNNVD-201907-1030 // NVD: CVE-2019-1917

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 109301

SOURCES

db:	VULHUB	id:	VHN-151589
db:	BID	id:	109301
db:	JVNDB	id:	JVNDB-2019-006931
db:	CNNVD	id:	CNNVD-201907-1030
db:	NVD	id:	CVE-2019-1917

LAST UPDATE DATE

2024-11-23T22:11:57.258000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-151589	date:	2019-10-09T00:00:00
db:	BID	id:	109301	date:	2019-07-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-006931	date:	2019-07-30T00:00:00
db:	CNNVD	id:	CNNVD-201907-1030	date:	2019-08-15T00:00:00
db:	NVD	id:	CVE-2019-1917	date:	2024-11-21T04:37:40.923

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-151589	date:	2019-07-17T00:00:00
db:	BID	id:	109301	date:	2019-07-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-006931	date:	2019-07-30T00:00:00
db:	CNNVD	id:	CNNVD-201907-1030	date:	2019-07-17T00:00:00
db:	NVD	id:	CVE-2019-1917	date:	2019-07-17T21:15:11.937