#VU35751 Command Injection in Enterprise NFV Infrastructure Software - CVE-2019-1893
Published: July 6, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35751
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-1893
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Enterprise NFV Infrastructure Software
Enterprise NFV Infrastructure Software
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local authenticated user to execute arbitrary code.
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root. The vulnerability is due to insufficient input validation of a configuration file that is accessible to a local shell user. An attacker could exploit this vulnerability by including malicious input during the execution of this file. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS as root.
Remediation
Install update from vendor's website.