A vulnerability classified as critical was found in Cisco Enterprise NFV Infrastructure Software (unknown version). This vulnerability affects an unknown code block of the component NFVIS Filesystem Command Handler. The manipulation as part of a System Command leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite or read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to improper input validation in NFVIS filesystem commands. An attacker could exploit this vulnerability by using crafted variables during the execution of an affected command. A successful exploit could allow the attacker to overwrite or read arbitrary files on the underlying OS.

The weakness was disclosed 07/06/2019 as cisco-sa-20190703-nfvis-file-r as confirmed advisory (Website). The advisory is available at tools.cisco.com. This vulnerability was named CVE-2019-1894 since 12/06/2018. The attack can be initiated remotely. The requirement for exploitation is a single authentication. The technical details are unknown and an exploit is not available.

Upgrading eliminates this vulnerability.

The entry 137421 is pretty similar.

Productinfo

Vendor

• Cisco

Name

• Enterprise NFV Infrastructure Software

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion