Information disclosure in Cisco Network Convergence System 1000 Series

Published: 2019-02-22 19:05:01
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-1681
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software Cisco Network Convergence System 1000 Series
Vulnerable software versions Cisco Network Convergence System 1000 Series 6.5.1
Vendor URL Cisco Systems, Inc

Security Advisory

1) Path traversal

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists in the TFTP service due to input validation error when processing directory traversal sequences. A remote attacker can use directory traversal techniques in malicious requests sent to the TFTP service to retrieve arbitrary files from the targeted device.

Remediation

Update to version 7.0.1.19, 6.6.11.12, 6.6.1.19, 6.5.2.10 or 6.5.2.9.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-ncs

Back to List