CVE-2019-12645

Cisco Jabber Client Framework for Mac Code Execution Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in Cisco Jabber Client Framework (JCF) for Mac Software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to execute arbitrary code on an affected device The vulnerability is due to improper file level permissions on an affected device when it is running Cisco JCF for Mac Software. An attacker could exploit this vulnerability by authenticating to the affected device and executing arbitrary code or potentially modifying certain configuration files. A successful exploit could allow the attacker to execute arbitrary code or modify certain configuration files on the device using the privileges of the installed Cisco JCF for Mac Software.

Una vulnerabilidad en Cisco Jabber Client Framework (JCF) para Mac Software, instalado como parte del cliente Cisco Jabber para Mac, podría permitir a un atacante local autenticado ejecutar código arbitrario en un dispositivo afectado. La vulnerabilidad es debido a permisos de nivel de archivo inapropiados en un dispositivo afectado cuando se ejecuta el software Cisco JCF para Mac. Un atacante podría explotar esta vulnerabilidad mediante su autenticación en el dispositivo afectado y ejecutando código arbitrario o modificando potencialmente ciertos archivos de configuración. Una explotación con éxito podría permitir al atacante ejecutar código arbitrario o modificar ciertos archivos de configuración sobre el dispositivo usando los privilegios del Cisco JCF instalado para Mac Software.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-06-04 CVE Reserved
2019-09-05 CVE Published
2023-03-08 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-jcf-codex	2020-10-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Jabber Search vendor "Cisco" for product "Jabber"				< 12.6\(1\) Search vendor "Cisco" for product "Jabber" and version " < 12.6\(1\)"		macos		Affected