CVE-2019-1940
Cisco Industrial Network Director Web Services Management Agent Unauthorized Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certificate validation when establishing a WSMA connection. An attacker could exploit this vulnerability by supplying a crafted X.509 certificate during the WSMA connection setup phase. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on WSMA connections to the affected software. At the time of publication, this vulnerability affected Cisco IND Software releases prior to 1.7.
Una vulnerabilidad en la funcionalidad Web Services Management Agent (WSMA) de Industrial Network Director (IND) de Cisco, podría permitir a un atacante remoto no autenticado conseguir acceso de lectura no autorizado a datos confidenciales utilizando un certificado X.509 no válido. La vulnerabilidad es debido a la comprobación insuficiente del certificado X.509 al establecer una conexión WSMA. Un atacante podría explotar esta vulnerabilidad al proporcionar un certificado X.509 diseñado durante la fase de configuración de la conexión WSMA. Una explotación con éxito podría permitir al atacante conducir ataques de tipo man-in-the-middle para descifrar información confidencial en las conexiones WSMA en el software afectado. Al momento de la publicación, esta vulnerabilidad afectó al Software IND de Cisco versiones anteriores a 1.7.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-12-06 CVE Reserved
- 2019-07-17 CVE Published
- 2023-04-03 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
- CWE-310: Cryptographic Issues
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/109296 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Cisco Search vendor "Cisco" | Industrial Network Director Search vendor "Cisco" for product "Industrial Network Director" | < 1.7 Search vendor "Cisco" for product "Industrial Network Director" and version " < 1.7" | - |
Affected
|