VAR-201905-0579
Vulnerability from variot - Updated: 2023-12-18 12:50A vulnerability in the FUSE filesystem functionality for Cisco Application Policy Infrastructure Controller (APIC) software could allow an authenticated, local attacker to escalate privileges to root on an affected device. The vulnerability is due to insufficient input validation for certain command strings issued on the CLI of the affected device. An attacker with write permissions for files within a readable folder on the device could alter certain definitions in the affected file. A successful exploit could allow an attacker to cause the underlying FUSE driver to execute said crafted commands, elevating the attacker's privileges to root on an affected device. This issue is being tracked by Cisco Bug ID CSCvn09779. The FUSE file system functionality in Cisco APIC versions prior to 4.1(1i) is vulnerable to permission and access control issues. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201905-0579",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "application policy infrastructure controller",
"scope": "lt",
"trust": 1.0,
"vendor": "cisco",
"version": "4.1\\(1i\\)"
},
{
"model": "application policy infrastructure controller",
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": "application policy infrastructure controller 3.2",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "application policy infrastructure controller 2.3",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "application policy infrastructure controller",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "2.2(1)"
},
{
"model": "application policy infrastructure controller 2.1",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "application policy infrastructure controller 2.0",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "application policy infrastructure controller 1.3",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "application policy infrastructure controller 4.1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "108129"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"db": "NVD",
"id": "CVE-2019-1682"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1\\(1i\\)",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-1682"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Octav Opaschi with Detack GmbH ?? ??,Octav Opaschi with Detack GmbH .,Octav Opaschi with Detack GmbH",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
],
"trust": 0.6
},
"cve": "CVE-2019-1682",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 7.2,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2019-1682",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-149004",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "ykramarz@cisco.com",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-1682",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-1682",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "ykramarz@cisco.com",
"id": "CVE-2019-1682",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201905-015",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-149004",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-149004"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"db": "NVD",
"id": "CVE-2019-1682"
},
{
"db": "NVD",
"id": "CVE-2019-1682"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A vulnerability in the FUSE filesystem functionality for Cisco Application Policy Infrastructure Controller (APIC) software could allow an authenticated, local attacker to escalate privileges to root on an affected device. The vulnerability is due to insufficient input validation for certain command strings issued on the CLI of the affected device. An attacker with write permissions for files within a readable folder on the device could alter certain definitions in the affected file. A successful exploit could allow an attacker to cause the underlying FUSE driver to execute said crafted commands, elevating the attacker\u0027s privileges to root on an affected device. \nThis issue is being tracked by Cisco Bug ID CSCvn09779. The FUSE file system functionality in Cisco APIC versions prior to 4.1(1i) is vulnerable to permission and access control issues. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-1682"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"db": "BID",
"id": "108129"
},
{
"db": "VULHUB",
"id": "VHN-149004"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-1682",
"trust": 2.8
},
{
"db": "BID",
"id": "108129",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003893",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201905-015",
"trust": 0.7
},
{
"db": "NSFOCUS",
"id": "43204",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.1518.2",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-149004",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-149004"
},
{
"db": "BID",
"id": "108129"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"db": "NVD",
"id": "CVE-2019-1682"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
]
},
"id": "VAR-201905-0579",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-149004"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:50:17.650000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-sa-20190501-apic-priv-escalation",
"trust": 0.8,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-apic-priv-escalation"
},
{
"title": "Cisco Application Policy Infrastructure Controller Fixes for permissions and access control issues vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=92166"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.1
},
{
"problemtype": "CWE-264",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-149004"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"db": "NVD",
"id": "CVE-2019-1682"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-apic-priv-escalation"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-1682"
},
{
"trust": 0.9,
"url": "http://www.cisco.com/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1682"
},
{
"trust": 0.6,
"url": "https://www.securityfocus.com/bid/108129"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/80110"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/43204"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-149004"
},
{
"db": "BID",
"id": "108129"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"db": "NVD",
"id": "CVE-2019-1682"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-149004"
},
{
"db": "BID",
"id": "108129"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"db": "NVD",
"id": "CVE-2019-1682"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-03T00:00:00",
"db": "VULHUB",
"id": "VHN-149004"
},
{
"date": "2019-05-01T00:00:00",
"db": "BID",
"id": "108129"
},
{
"date": "2019-05-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"date": "2019-05-03T15:29:00.777000",
"db": "NVD",
"id": "CVE-2019-1682"
},
{
"date": "2019-05-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-10-07T00:00:00",
"db": "VULHUB",
"id": "VHN-149004"
},
{
"date": "2019-05-01T00:00:00",
"db": "BID",
"id": "108129"
},
{
"date": "2019-05-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003893"
},
{
"date": "2020-10-07T18:11:31.143000",
"db": "NVD",
"id": "CVE-2019-1682"
},
{
"date": "2020-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "108129"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco Application Policy Infrastructure Controller Vulnerability related to authorization, authority, and access control in software",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003893"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Input Validation Error",
"sources": [
{
"db": "BID",
"id": "108129"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-015"
}
],
"trust": 0.9
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…