File and Directory Information Exposure in Enterprise NFV Infrastructure Software

#VU20389 File and Directory Information Exposure in Enterprise NFV Infrastructure Software

Published: 2019-08-26

Vulnerability identifier: #VU20389

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12623

CWE-ID: CWE-538

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Enterprise NFV Infrastructure Software
Server applications / Virtualization software

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to perform file enumeration on an affected system.

The vulnerability exists in the web server functionality due to the web server responds with different error codes for exist and non-exist files. A remote attacker can send specially crafted GET requests for different file names and enumerate files residing on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Enterprise NFV Infrastructure Software: All versions

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-nfv-enumeration

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Enterprise NFV Infrastructure Software