Permissions, Privileges, and Access Controls in Cisco Systems, Inc products - CVE-2019-12634
Published: August 23, 2019
Vulnerability identifier: #VU20379
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-12634
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco UCS Director Express for Big Data
Cisco UCS Director
Cisco Integrated Management Controller Supervisor
Cisco UCS Director Express for Big Data
Cisco UCS Director
Cisco Integrated Management Controller Supervisor
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition.
The vulnerability exists due to a missing authentication check in an API call in the web-based management interface. A remote attacker can send a specially crafted request and cause all currently authenticated users to be logged off. Repeated exploitation could cause the inability to maintain a session in the web-based management portal.
How to mitigate CVE-2019-12634
Install updates from vendor's website.