CVE-2019-16029

Cisco Smart Software Manager On-Prem Web Interface Denial of Service Vulnerability

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. The vulnerability is due to the lack of input validation in the API. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to change or corrupt user account information which could grant the attacker administrator access or prevent legitimate user access to the web interface, resulting in a denial of service (DoS) condition.

Una vulnerabilidad en la interfaz de programación de aplicaciones (API) de Cisco Smart Software Manager On-Prem, podría permitir a un atacante remoto no autenticado cambiar la información de la cuenta del usuario, lo que puede impedir a los usuarios iniciar sesión, resultando en una condición de denegación de servicio (DoS) de la interfaz web. La vulnerabilidad es debido a una falta de comprobación de entrada en la API. Un atacante podría explotar esta vulnerabilidad mediante el envío de una petición HTTP diseñada hacia un dispositivo afectado. Un explotación podría permitir que el atacante cambie o corrompa la información de la cuenta del usuario, lo que podría otorgarle al administrador atacante el acceso o impedírselo al usuario legítimo a la interfaz web, resultando en una condición de denegación de servicio (DoS).

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2019-09-06 CVE Reserved
2020-01-26 CVE Published
2023-04-28 EPSS Updated
2024-11-15 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-on-prem-dos	2020-01-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Smart Software Manager On-prem Search vendor "Cisco" for product "Smart Software Manager On-prem"				< 7-201910 Search vendor "Cisco" for product "Smart Software Manager On-prem" and version " < 7-201910"		-		Affected