Permissions, Privileges, and Access Controls in Cisco Systems, Inc products - CVE-2019-1966
Published: August 28, 2019
Vulnerability identifier: #VU20444
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-1966
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Unified Computing System
UCS 6300 Series Fabric Interconnects
UCS 6200 Series Fabric Interconnects
Cisco Unified Computing System
UCS 6300 Series Fabric Interconnects
UCS 6200 Series Fabric Interconnects
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to extraneous sub-command options present for a specific CLI command within the local-mgmt context. A local authenticated attacker can enter the local-mgmt context, issue a specific CLI command and gain root privileges on the device.
How to mitigate CVE-2019-1966
Install updates from vendor's website.