CVE-2019-1857

A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system by using a web browser and with the privileges of the user.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/108163
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-hyperflex-csrf	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:cisco:hx220c_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:hx220c_m5:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:cisco:hx240c_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:hx240c_m5:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:cisco:hx240c_large_form_factor_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:hx240c_large_form_factor:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:cisco:hx220c_all_nvme_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:hx220c_all_nvme_m5:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:cisco:hx220c_af_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:hx220c_af_m5:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:cisco:hx240c_af_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:hx240c_af_m5:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:cisco:hx220c_edge_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:hx220c_edge_m5:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:cisco:ucs_b200_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:ucs_b200_m5:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:cisco:ucs_b480_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:ucs_b480_m5:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:cisco:ucs_c480_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:ucs_c480_m5:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:cisco:ucs_c125_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:ucs_c125_m5:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:cisco:ucs_c220_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:ucs_c220_m5:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:cisco:ucs_c240_m5_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:ucs_c240_m5:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:cisco:ucs_c480_ml_firmware:3.0\(1a\):*:*:*:*:*:*:*

cpe:2.3:h:cisco:ucs_c480_ml:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-05-03 17:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-1857

Mitre link : CVE-2019-1857

CVE.ORG link : CVE-2019-1857

JSON object : View

Products Affected

cisco

hx240c_large_form_factor
hx240c_m5
ucs_c240_m5_firmware
hx220c_edge_m5
ucs_c125_m5
hx220c_all_nvme_m5
ucs_b480_m5_firmware
ucs_c480_m5
hx220c_m5
hx220c_edge_m5_firmware
ucs_b200_m5
ucs_c480_m5_firmware
hx240c_af_m5
hx220c_af_m5_firmware
ucs_c220_m5
hx220c_af_m5
hx220c_m5_firmware
ucs_c240_m5
ucs_c480_ml_firmware
hx240c_af_m5_firmware
hx240c_m5_firmware
hx220c_all_nvme_m5_firmware
ucs_b480_m5
ucs_c220_m5_firmware
ucs_b200_m5_firmware
hx240c_large_form_factor_firmware
ucs_c125_m5_firmware
ucs_c480_ml

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

8.8 /10