CVE-2019-1679

Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server REST API Server-Side Request Forgery Vulnerability

Severity Score

5.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the affected server. Versions prior to XC4.3.4 are affected.

Una vulnerabilidad en la interfaz web de Cisco TelePresence Conductor, Cisco Expressway Series y Cisco TelePresence Video Communication Server (VCS) podría permitir que un atacante autenticado remoto desencadene una petición HTTP desde un servidor afectado a un host arbitrario. Este tipo de ataque suele denominarse Server-Side Request Forgery (SSRF). La vulnerabilidad se debe a controles de acceso insuficientes para la API REST de Cisco Expressway Series y Cisco TelePresence VCS. Un atacante podría explotar esta vulnerabilidad mediante el envío de una petición HTTP manipulada al servidor afectado. Las versiones anteriores a XC4.3.4 se han visto afectadas.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-12-06 CVE Reserved
2019-02-07 CVE Published
2023-07-08 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (2)

URL	Tag	Source
http://www.securityfocus.com/bid/106940	Broken Link

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-rest-api-ssrf	2023-03-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Telepresence Video Communication Server Search vendor "Cisco" for product "Telepresence Video Communication Server"				< x12.5 Search vendor "Cisco" for product "Telepresence Video Communication Server" and version " < x12.5"		-		Affected
Cisco Search vendor "Cisco"		Telepresence Conductor Search vendor "Cisco" for product "Telepresence Conductor"				< xc4.3.4 Search vendor "Cisco" for product "Telepresence Conductor" and version " < xc4.3.4"		-		Affected