#VU20379 Permissions, Privileges, and Access Controls in Cisco Systems, Inc products - CVE-2019-12634
Published: August 23, 2019
Vulnerability identifier: #VU20379
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-12634
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco UCS Director Express for Big Data
Cisco UCS Director
Cisco Integrated Management Controller Supervisor
Cisco UCS Director Express for Big Data
Cisco UCS Director
Cisco Integrated Management Controller Supervisor
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition.
The vulnerability exists due to a missing authentication check in an API call in the web-based management interface. A remote attacker can send a specially crafted request and cause all currently authenticated users to be logged off. Repeated exploitation could cause the inability to maintain a session in the web-based management portal.
Remediation
Install updates from vendor's website.