// For flags

CVE-2019-1900

Cisco Integrated Management Controller Unauthenticated Denial of Service Vulnerability

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to cause the web server process to crash, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient validation of user-supplied input on the web interface. An attacker could exploit this vulnerability by submitting a crafted HTTP request to certain endpoints of the affected software. A successful exploit could allow an attacker to cause the web server to crash. Physical access to the device may be required for a restart.

Una vulnerabilidad en el servidor web de Cisco Integrated Management Controller (IMC) podría permitir que un atacante remoto no autenticado provoque el bloqueo del proceso del servidor web, provocando una condición de denegación de servicio (DoS) en un sistema afectado. La vulnerabilidad se debe a una validación insuficiente de la entrada proporcionada por el usuario en la interfaz web. Un atacante podría aprovechar esta vulnerabilidad al enviar una solicitud HTTP diseñada a ciertos puntos finales del software afectado. Una explotación exitosa podría permitir que un atacante haga que el servidor web se bloquee. Es posible que se requiera acceso físico al dispositivo para reiniciar.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2018-12-06 CVE Reserved
  • 2019-08-21 CVE Published
  • 2023-03-07 EPSS Updated
  • 2024-11-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-476: NULL Pointer Dereference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Integrated Management Controller Supervisor
Search vendor "Cisco" for product "Integrated Management Controller Supervisor"
>= 4.0.0.0 < 4.0\(2f\)
Search vendor "Cisco" for product "Integrated Management Controller Supervisor" and version " >= 4.0.0.0 < 4.0\(2f\)"
-
Affected
in Cisco
Search vendor "Cisco"
Ucs C125 M5
Search vendor "Cisco" for product "Ucs C125 M5"
--
Safe
Cisco
Search vendor "Cisco"
Integrated Management Controller Supervisor
Search vendor "Cisco" for product "Integrated Management Controller Supervisor"
>= 4.0.0.0 < 4.0\(2f\)
Search vendor "Cisco" for product "Integrated Management Controller Supervisor" and version " >= 4.0.0.0 < 4.0\(2f\)"
-
Affected
in Cisco
Search vendor "Cisco"
Ucs C4200
Search vendor "Cisco" for product "Ucs C4200"
--
Safe
Cisco
Search vendor "Cisco"
Integrated Management Controller Supervisor
Search vendor "Cisco" for product "Integrated Management Controller Supervisor"
>= 4.0.0.0 < 4.0\(2f\)
Search vendor "Cisco" for product "Integrated Management Controller Supervisor" and version " >= 4.0.0.0 < 4.0\(2f\)"
-
Affected
in Cisco
Search vendor "Cisco"
Ucs S3260
Search vendor "Cisco" for product "Ucs S3260"
--
Safe
Cisco
Search vendor "Cisco"
Unified Computing System
Search vendor "Cisco" for product "Unified Computing System"
4.0\(1c\)hs3
Search vendor "Cisco" for product "Unified Computing System" and version "4.0\(1c\)hs3"
-
Affected