cvelist/2019/12xxx/CVE-2019-12629.json

{
    "CVE_data_meta": {
        "ASSIGNER": "psirt@cisco.com",
        "DATE_PUBLIC": "2020-01-22T16:00:00-0800",
        "ID": "CVE-2019-12629",
        "STATE": "PUBLIC",
        "TITLE": "Cisco SD-WAN vManage Command Injection Vulnerability"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Cisco SD-WAN Solution ",
                                "version": {
                                    "version_data": [
                                        {
                                            "affected": "<",
                                            "version_value": "n/a"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "Cisco"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "A vulnerability in the WebUI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. The vulnerability is due to insufficient input validation of data parameters for certain fields in the affected solution. An attacker could exploit this vulnerability by configuring a malicious username on the login page of the affected solution. A successful exploit could allow the attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system."
            }
        ]
    },
    "exploit": [
        {
            "lang": "eng",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "
        }
    ],
    "impact": {
        "cvss": {
            "baseScore": "4.7",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ",
            "version": "3.0"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-77"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "20200122 Cisco SD-WAN vManage Command Injection Vulnerability",
                "refsource": "CISCO",
                "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-sdwan-cmd-inject"
            }
        ]
    },
    "source": {
        "advisory": "cisco-sa-20200122-sdwan-cmd-inject",
        "defect": [
            [
                "CSCvi70009"
            ]
        ],
        "discovery": "INTERNAL"
    }
}
"-Synchronized-Data." 2019-06-04 12:00:57 +00:00			`{`
			`"CVE_data_meta": {`
Adding Cisco CVE-2019-12629 2020-01-26 04:23:47 +00:00			`"ASSIGNER": "psirt@cisco.com",`
			`"DATE_PUBLIC": "2020-01-22T16:00:00-0800",`
"-Synchronized-Data." 2019-06-04 12:00:57 +00:00			`"ID": "CVE-2019-12629",`
Adding Cisco CVE-2019-12629 2020-01-26 04:23:47 +00:00			`"STATE": "PUBLIC",`
			`"TITLE": "Cisco SD-WAN vManage Command Injection Vulnerability"`
"-Synchronized-Data." 2019-06-04 12:00:57 +00:00			`},`
Adding Cisco CVE-2019-12629 2020-01-26 04:23:47 +00:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Cisco SD-WAN Solution ",`
			`"version": {`
			`"version_data": [`
			`{`
			`"affected": "<",`
			`"version_value": "n/a"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "Cisco"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2019-06-04 12:00:57 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2020-01-26 05:01:17 +00:00			"value": "A vulnerability in the WebUI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. The vulnerability is due to insufficient input validation of data parameters for certain fields in the affected solution. An attacker could exploit this vulnerability by configuring a malicious username on the login page of the affected solution. A successful exploit could allow the attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system."
"-Synchronized-Data." 2019-06-04 12:00:57 +00:00			`}`
			`]`
Adding Cisco CVE-2019-12629 2020-01-26 04:23:47 +00:00			`},`
			`"exploit": [`
			`{`
			`"lang": "eng",`
			`"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "`
			`}`
			`],`
			`"impact": {`
			`"cvss": {`
			`"baseScore": "4.7",`
			`"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ",`
			`"version": "3.0"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-77"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "20200122 Cisco SD-WAN vManage Command Injection Vulnerability",`
			`"refsource": "CISCO",`
			`"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-sdwan-cmd-inject"`
			`}`
			`]`
			`},`
			`"source": {`
			`"advisory": "cisco-sa-20200122-sdwan-cmd-inject",`
			`"defect": [`
			`[`
			`"CSCvi70009"`
			`]`
			`],`
			`"discovery": "INTERNAL"`
"-Synchronized-Data." 2019-06-04 12:00:57 +00:00			`}`
"-Synchronized-Data." 2020-01-26 05:01:17 +00:00			`}`