CVE-2019-1937
published 2019-08-21CVE-2019-1937: A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director…
critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_unified_computing_system_director | >= unspecified < 6.7.3.0 | 6.7.3.0 |
| cisco | integrated_management_controller_supervisor | 2.2.0.3 – 2.2.0.6 | — |
| cisco | integrated_management_controller_supervisor_cisco_ucs_director_and_cisco_ucs_dir | — | — |
| cisco | ucs_director | — | — |
| cisco | ucs_director | 6.6.0.0 – 6.6.1.0 | — |
| cisco | ucs_director | 6.7.0.0 – 6.7.1.0 | — |
| cisco | ucs_director_express_for_big_data | — | — |
| cisco | ucs_director_express_for_big_data | 3.7.0.0 – 3.7.1.0 | — |