SB2019012414 - Information disclosure in Cisco Mobility Services Engine
Published: January 24, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Information disclosure (CVE-ID: CVE-2019-1645)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an adjacent attacker to obtain potentially sensitive information.
The vulnerability exists due to a lack of input and validation checking mechanisms for certain GET requests to API's. An adjacent attacker can send HTTP GET requests obtain arbitrary data and use this information to conduct additional reconnaissance attacks.
Remediation
Install update from vendor's website.