CVE-2019-1961

CWE-532 — Log File Information Exposure CWE-20 — Improper Input Validation4 documents4 sources

Severity

4.9MEDIUM

EPSS

0.3%

top 45.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Cisco Enterprise NFV Infrastructure Software Cisco Enterprise Network Function Virtualization Infrastructure

Timeline

PublishedAug 8

Latest updateMay 24

Description

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to the improper input validation of tar packages uploaded through the Web Portal to the Image Repository. An attacker could exploit this vulnerability by uploading a crafted tar package and viewing the log entries that are generated. A successful exploit could allow the…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5cisco/cisco_enterprise_nfv_infrastructure_softwareunspecified — n/a

▶NVDcisco/enterprise_network_function_virtualization_infrastructure< 3.10.1

🔴Vulnerability Details

GHSA

GHSA-48fj-hw7g-w9rw: A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read arbitrary files on the u↗2022-05-24

▶

CVEList

Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read Vulnerability↗2019-08-08

▶

📋Vendor Advisories

Cisco

Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read Vulnerability↗2019-08-07

▶