From 0dba3a35106474d23fba59d9db4e5b08ea8c9338 Mon Sep 17 00:00:00 2001 From: santosomar Date: Thu, 28 Mar 2019 00:14:32 +0000 Subject: [PATCH] Adding Cisco CVE-2019-1756 --- 2019/1xxx/CVE-2019-1756.json | 129 +++++++++++++++++++++++++++++++++-- 1 file changed, 125 insertions(+), 4 deletions(-) diff --git a/2019/1xxx/CVE-2019-1756.json b/2019/1xxx/CVE-2019-1756.json index 576641c1679..90b387c3e5f 100644 --- a/2019/1xxx/CVE-2019-1756.json +++ b/2019/1xxx/CVE-2019-1756.json @@ -1,8 +1,86 @@ { "CVE_data_meta": { - "ASSIGNER": "cve@mitre.org", + "ASSIGNER": "psirt@cisco.com", + "DATE_PUBLIC": "2019-03-27T16:00:00-0700", "ID": "CVE-2019-1756", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Cisco IOS XE Software Command Injection Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Cisco IOS XE Software", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "3.2.0JA" + }, + { + "version_affected": "=", + "version_value": "16.7.1" + }, + { + "version_affected": "=", + "version_value": "16.7.1a" + }, + { + "version_affected": "=", + "version_value": "16.7.1b" + }, + { + "version_affected": "=", + "version_value": "16.7.2" + }, + { + "version_affected": "=", + "version_value": "16.7.3" + }, + { + "version_affected": "=", + "version_value": "16.8.1" + }, + { + "version_affected": "=", + "version_value": "16.8.1a" + }, + { + "version_affected": "=", + "version_value": "16.8.1b" + }, + { + "version_affected": "=", + "version_value": "16.8.1s" + }, + { + "version_affected": "=", + "version_value": "16.8.1c" + }, + { + "version_affected": "=", + "version_value": "16.8.1d" + }, + { + "version_affected": "=", + "version_value": "16.8.2" + }, + { + "version_affected": "=", + "version_value": "16.8.1e" + } + ] + } + } + ] + }, + "vendor_name": "Cisco" + } + ] + } }, "data_format": "MITRE", "data_type": "CVE", @@ -11,8 +89,51 @@ "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system. " } ] + }, + "exploit": [ + { + "lang": "eng", + "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. " + } + ], + "impact": { + "cvss": { + "baseScore": "7.2", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "20190327 Cisco IOS XE Software Command Injection Vulnerability", + "refsource": "CISCO", + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject" + } + ] + }, + "source": { + "advisory": "cisco-sa-20190327-iosxe-cmdinject", + "defect": [ + [ + "CSCvi36805" + ] + ], + "discovery": "INTERNAL" } -} \ No newline at end of file +}