CVE-2019-1889 — Improper Input Validation in Cisco Application Policy Infrastructure Controller

CWE-264 CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.2HIGHNVD

EPSS

1.2%

top 20.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Application Policy Infrastructure Controller Cisco Application Policy Infrastructure Controller

Timeline

PublishedJul 4

Latest updateMay 24

Description

A vulnerability in the REST API for software device management in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an authenticated, remote attacker to escalate privileges to root on an affected device. The vulnerability is due to incomplete validation and error checking for the file path when specific software is uploaded. An attacker could exploit this vulnerability by uploading malicious software using the REST API. A successful exploit could allow an attacker to…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco/cisco_application_policy_infrastructure_controllerunspecified — 4.1(2g)

▶NVDcisco/application_policy_infrastructure_controller4.1\(1j\)

🔴Vulnerability Details

GHSA

GHSA-p5h6-5443-r463: A vulnerability in the REST API for software device management in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an au↗2022-05-24

▶

CVEList

Cisco Application Policy Infrastructure Controller REST API Privilege Escalation Vulnerability↗2019-07-04

▶

📋Vendor Advisories

Cisco

Cisco Application Policy Infrastructure Controller REST API Privilege Escalation Vulnerability↗2019-07-03

▶