SB2019082607 - Multiple vulnerabilities in Enterprise NFV Infrastructure Software

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019082607

SB2019082607 - Multiple vulnerabilities in Enterprise NFV Infrastructure Software

Published: August 26, 2019

Security Bulletin ID SB2019082607
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2019-1984)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to overwrite files on the underlying operating system (OS) of an affected device.

The vulnerability exists due to improper input validation in an NFVIS file-system command. A remote authenticated administrator can use specially crafted variables during the execution of an affected command and overwrite arbitrary files on the underlying OS.


2) File and Directory Information Exposure (CVE-ID: CVE-2019-12623)

CWE-ID: CWE-538 - File And Directory Information Exposure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform file enumeration on an affected system.

The vulnerability exists in the web server functionality due to the web server responds with different error codes for exist and non-exist files. A remote attacker can send specially crafted GET requests for different file names and enumerate files residing on the system.

Remediation

Install update from vendor's website.

References