Command Injection in Enterprise NFV Infrastructure Software - CVE-2019-1893
Published: July 6, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35751
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-1893
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Enterprise NFV Infrastructure Software
Enterprise NFV Infrastructure Software
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root. The vulnerability is due to insufficient input validation of a configuration file that is accessible to a local shell user. An attacker could exploit this vulnerability by including malicious input during the execution of this file. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS as root.
How to mitigate CVE-2019-1893
Install update from vendor's website.