CVE-2019-12620Insufficient Verification of Data Authenticity in Cisco Hyperflex Hx-series

CWE-345Insufficient Verification of Data Authenticity4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 53.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Cisco Hyperflex Hx-seriesCisco Hyperflex Hx220c AF M5 FirmwareCisco Hyperflex Hx220c Edge M5 Firmware+3 more
Timeline
PublishedSep 18
Latest updateMay 24

Description

A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device. The vulnerability is due to insufficient authentication for the statistics collection service. An attacker could exploit this vulnerability by sending properly formatted data values to the statistics collection service of an affected device. A successful exploit could allow the attacker to cause the web interface statis

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

CVEListV5cisco/cisco_hyperflex_hx-seriesunspecified3.5.2f
NVDcisco/hyperflex_hx220c_m5_firmware3.0\(1a\), 3.5\(2a\), 4.0\(1a\)+2
NVDcisco/hyperflex_hx240c_m5_firmware3.0\(1a\), 3.5\(2a\), 4.0\(1a\)+2
NVDcisco/hyperflex_hx220c_af_m5_firmware3.0\(1a\), 3.5\(2a\), 4.0\(1a\)+2
NVDcisco/hyperflex_hx240c_af_m5_firmware3.0\(1a\), 3.5\(2a\), 4.0\(1a\)+2

🔴Vulnerability Details

2
GHSA
GHSA-33f4-9hr4-253g: A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary v2022-05-24
CVEList
Cisco HyperFlex Software Counter Value Injection Vulnerability2019-09-18

📋Vendor Advisories

1
Cisco
Cisco HyperFlex Software Counter Value Injection Vulnerability2019-09-18
CVE-2019-12620 — Cisco vulnerability | cvebase