Main Vulnerability Database Vulnerabilities #VU20380

#VU20380 OS Command Injection in Cisco Integrated Management Controller - CVE-2019-1885

Published: August 23, 2019

Vulnerability identifier: #VU20380

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-1885

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cisco Integrated Management Controller

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the Redfish protocol. A remote authenticated attacker can send a specially crafted commands to the web-based management interface and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

This vulnerability affects the following Cisco products that are running Cisco IMC Software:

UCS C-Series and S-Series Servers in standalone mode

Remediation

Install updates from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-cimc

#VU20380 OS Command Injection in Cisco Integrated Management Controller - CVE-2019-1885

Description

Remediation

External links

Please verify you're human