Cisco HyperFlex Software up to 3.5 Graphite Interface data authenticity
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
4.1 | $0-$5k | 0.00 |
A vulnerability was found in Cisco HyperFlex Software up to 3.5. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Graphite Interface. The manipulation with an unknown input leads to a data authenticity vulnerability. Using CWE to declare the problem leads to CWE-345. The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. Impacted is confidentiality, integrity, and availability. CVE summarizes:
A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected.
The bug was discovered 02/20/2019. The weakness was shared 02/21/2019 as cisco-sa-20190220-hyper-write as confirmed advisory (Website). The advisory is shared for download at tools.cisco.com. This vulnerability is handled as CVE-2019-1667 since 12/06/2018. The attack needs to be approached locally. A simple authentication is required for exploitation. There are neither technical details nor an exploit publicly available.
The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k.
Upgrading to version 3.5(2a) eliminates this vulnerability.
The entries VDB-131083, VDB-131082 and VDB-131081 are related to this item.
Product
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.2VulDB Meta Temp Score: 4.1
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 3.3
NVD Vector: 🔍
CNA Base Score: 4.0
CNA Vector (Cisco Systems, Inc.): 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Data authenticityCWE: CWE-345
CAPEC: 🔍
ATT&CK: 🔍
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: HyperFlex Software 3.5(2a)
Timeline
12/06/2018 🔍02/20/2019 🔍
02/21/2019 🔍
02/22/2019 🔍
07/19/2023 🔍
Sources
Vendor: cisco.comAdvisory: cisco-sa-20190220-hyper-write
Status: Confirmed
CVE: CVE-2019-1667 (🔍)
SecurityFocus: 107100
See also: 🔍
Entry
Created: 02/22/2019 06:53 AMUpdated: 07/19/2023 07:11 AM
Changes: 02/22/2019 06:53 AM (61), 05/12/2020 07:06 AM (1), 07/19/2023 06:58 AM (3), 07/19/2023 07:11 AM (12)
Complete: 🔍
Cache ID: 44:4DB:40
No comments yet. Languages: en.
Please log in to comment.