Input validation error in Enterprise NFV Infrastructure Software - CVE-2019-1894
Published: July 6, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35752
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-1894
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Enterprise NFV Infrastructure Software
Enterprise NFV Infrastructure Software
Detailed vulnerability description
The vulnerability allows a remote privileged user to execute arbitrary code.
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite or read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to improper input validation in NFVIS filesystem commands. An attacker could exploit this vulnerability by using crafted variables during the execution of an affected command. A successful exploit could allow the attacker to overwrite or read arbitrary files on the underlying OS.
How to mitigate CVE-2019-1894
Install update from vendor's website.