Vulnerability Details : CVE-2019-1666
A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted requests to the Graphite service. A successful exploit could allow the attacker to retrieve any statistics from the Graphite service. Versions prior to 3.5(2a) are affected.
Vulnerability category: BypassGain privilege
Products affected by CVE-2019-1666
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:2.6\(1a\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\(1a\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\(1d\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\(1e\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\(1h\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\(1i\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:2.6\(1e\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\(1b\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:2.6\(1b\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:2.6\(1d\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\(1c\):*:*:*:*:*:*:*
- cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.5\(1a\):*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-1666
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-1666
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
Cisco Systems, Inc. | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2019-1666
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: ykramarz@cisco.com (Secondary)
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-1666
-
http://www.securityfocus.com/bid/107108
Cisco HyperFlex CVE-2019-1666 Arbitrary File Access VulnerabilityThird Party Advisory;VDB Entry
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-retrieve
Cisco HyperFlex Unauthenticated Statistics Retrieval VulnerabilityVendor Advisory
Jump to