SB2019012414 - Information disclosure in Cisco Mobility Services Engine



SB2019012414 - Information disclosure in Cisco Mobility Services Engine

Published: January 24, 2019

Security Bulletin ID SB2019012414
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Adjecent network
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Information disclosure (CVE-ID: CVE-2019-1645)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an adjacent attacker to obtain potentially sensitive information.

The vulnerability exists due to a lack of input and validation checking mechanisms for certain GET requests to API's. An adjacent attacker can send HTTP GET requests obtain arbitrary data and use this information to conduct additional reconnaissance attacks.


Remediation

Install update from vendor's website.