CVE-2019-1610 : A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated,

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. Nexus 3500 Platform Switches and Nexus 3000 Series Switches software versions prior to 7.0(3)I7(4) are affected.

Published 2019-03-11 21:29:01

Updated 2020-10-05 19:52:26

Source Cisco Systems, Inc.

View at NVD, CVE.org

Products affected by CVE-2019-1610

Cisco » Nx-os
Versions from including (>=) 7.0\(3\) and up to, including, (<=) 7.0\(3\)i7\(4\)
cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Nexus 3500 Platform » Version: N/A
Cisco » Nx-os
Versions before (<) 7.0\(3\)i7\(4\)
cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Nexus 3000 Series » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2019-1610

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 21 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-1610

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
4.2	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L	0.8	3.4	Cisco Systems, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low
6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-1610

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: ykramarz@cisco.com (Secondary)
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-1610

http://www.securityfocus.com/bid/107338

Cisco NX-OS Software CVE-2019-1610 Local Command Injection Vulnerability
Third Party Advisory;VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-cmdinj-1610

Cisco NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1610)
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-1610

Products affected by CVE-2019-1610

Exploit prediction scoring system (EPSS) score for CVE-2019-1610

CVSS scores for CVE-2019-1610

CWE ids for CVE-2019-1610

References for CVE-2019-1610