CVE-2019-1851Improper Authorization in Cisco Identity Services Engine Software

CWE-285Improper Authorization4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.1%
top 69.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Identity Services Engine SoftwareCisco Identity Services Engine
Timeline
PublishedMay 16
Latest updateMay 24

Description

A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the Internal Certificate Authority (CA) Services on ISE. This vulnerability is due to an incorrect implementation of role-based access control (RBAC). An attacker could exploit this vulnerability by crafting a specific HTTP request with administrative credentials. A successful exploit could allow the atta

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:NExploitability: 2.3 | Impact: 4.0

Affected Packages2 packages

CVEListV5cisco/cisco_identity_services_engine_softwareunspecifiedn/a
NVDcisco/identity_services_engine2.2\(0.470\), 2.3\(0.298\), 2.4\(0.357\)+2

🔴Vulnerability Details

2
GHSA
GHSA-6wxc-vxm7-4wrp: A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker t2022-05-24
CVEList
Cisco Identity Services Engine Arbitrary Client Certificate Creation Vulnerability2019-05-16

📋Vendor Advisories

1
Cisco
Cisco Identity Services Engine Arbitrary Client Certificate Creation Vulnerability2019-05-15
CVE-2019-1851 — Improper Authorization in Cisco | cvebase