Main Vulnerability Database SB2019022211

SB2019022211 - Information disclosure in Cisco Network Convergence System 1000 Series

Published: February 22, 2019

Security Bulletin ID SB2019022211

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2019-1681)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists in the TFTP service due to input validation error when processing directory traversal sequences. A remote attacker can use directory traversal techniques in malicious requests sent to the TFTP service to retrieve arbitrary files from the targeted device.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-ncs