Details of VAR-202001-0648

ID

VAR-202001-0648

CVE

CVE-2019-11998

TITLE

HPE Superdome Flex Server Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-014361

DESCRIPTION

HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via improper input validation of administrator commands. This vulnerability could allow an Administrator to bypass security restrictions and access multiple remote vulnerabilities including information disclosure, or denial of service. HPE has provided firmware updates that address the above vulnerabilities for the HPE Superdome Flex Server starting with firmware version v3.20.186 (not available online) and v3.20.206 (available online). Apply v3.20.206 (4 December 2019) or a newer version to resolve this issue. Please visit HPE Support Center https://support.hpe.com/hpesc/public/home to obtain the updated firmware for your product

Trust: 1.62

sources: NVD: CVE-2019-11998 // JVNDB: JVNDB-2019-014361

AFFECTED PRODUCTS

vendor:	hpe	model:	superdome flex server	scope:	lt	version:	3.20.186	Trust: 1.0
vendor:	ヒューレットパッカードエンタープライズ	model:	hpe superdome flex server	scope:	eq	version:	-	Trust: 0.8
vendor:	ヒューレットパッカードエンタープライズ	model:	hpe superdome flex server	scope:	eq	version:	hpe superdome flex server firmware 3.20.186	Trust: 0.8
vendor:	ヒューレットパッカードエンタープライズ	model:	hpe superdome flex server	scope:	eq	version:	hpe superdome flex server firmware 3.20.206	Trust: 0.8
vendor:	hpe	model:	superdome flex server	scope:	eq	version:	-	Trust: 0.6

sources: JVNDB: JVNDB-2019-014361 // CNNVD: CNNVD-202001-840 // NVD: CVE-2019-11998

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-11998
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-11998
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202001-840
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-11998
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2019-11998
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-11998
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2019-014361 // CNNVD: CNNVD-202001-840 // NVD: CVE-2019-11998

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	Incorrect input confirmation (CWE-20) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-014361 // NVD: CVE-2019-11998

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202001-840

PATCH

title:	hpesbhf03978en_us	url:	https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-hpesbhf03978en_us	Trust: 0.8
title:	HPE Superdome Flex Server Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109214	Trust: 0.6

sources: JVNDB: JVNDB-2019-014361 // CNNVD: CNNVD-202001-840

EXTERNAL IDS

db:	NVD	id:	CVE-2019-11998	Trust: 2.4
db:	JVNDB	id:	JVNDB-2019-014361	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.0497	Trust: 0.6
db:	CNNVD	id:	CNNVD-202001-840	Trust: 0.6

sources: JVNDB: JVNDB-2019-014361 // CNNVD: CNNVD-202001-840 // NVD: CVE-2019-11998

REFERENCES

url:	https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03978en_us	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11998	Trust: 1.4
url:	https://support.hpe.com/hpesc/public/docdisplay?docid=hpesbgn03975en_us	Trust: 0.6
url:	https://support.hpe.com/hpesc/public/docdisplay?docid=hpesbhf03978en_us	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.0497/	Trust: 0.6

sources: JVNDB: JVNDB-2019-014361 // CNNVD: CNNVD-202001-840 // NVD: CVE-2019-11998

SOURCES

db:	JVNDB	id:	JVNDB-2019-014361
db:	CNNVD	id:	CNNVD-202001-840
db:	NVD	id:	CVE-2019-11998

LAST UPDATE DATE

2024-11-23T22:21:21.758000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2019-014361	date:	2020-02-12T00:00:00
db:	CNNVD	id:	CNNVD-202001-840	date:	2020-02-14T00:00:00
db:	NVD	id:	CVE-2019-11998	date:	2024-11-21T04:22:08.057

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2019-014361	date:	2020-02-12T00:00:00
db:	CNNVD	id:	CNNVD-202001-840	date:	2020-01-16T00:00:00
db:	NVD	id:	CVE-2019-11998	date:	2020-01-16T19:15:12.077