CVE-2019-1690

Description

A vulnerability in the management interface of Cisco Application Policy Infrastructure Controller (APIC) software could allow an unauthenticated, adjacent attacker to gain unauthorized access on an affected device. The vulnerability is due to a lack of proper access control mechanisms for IPv6 link-local connectivity imposed on the management interface of an affected device. An attacker on the same physical network could exploit this vulnerability by attempting to connect to the IPv6 link-local address on the affected device. A successful exploit could allow the attacker to bypass default access control restrictions on an affected device. Cisco Application Policy Infrastructure Controller (APIC) devices running versions prior to 4.2(0.21c) are affected.

Related CPE's

aciscoapplication_policy_infrastructure_controller********

hcisconexus_92160yc-x-*******

hcisconexus_56128p-*******

hcisconexus_3132q-v-*******

hcisconexus_5624q-*******

hcisconexus_5548up-*******

hcisconexus_5648q-*******

hciscomds_9100-*******

hcisconexus_9372tx-*******

hcisconexus_3172-*******

References

20190306 Cisco Application Policy Infrastructure Controller IPv6 Link-Local Address Vulnerability

Vendor Advisory

107317

Third Party AdvisoryVDB Entry

CvssV3 impact

BaseSeverity

MEDIUM

ConfidentialityImpact

NONE

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

ADJACENT_NETWORK

AvailabilityImpact

NONE

IntegrityImpact

HIGH

PrivilegesRequired

NONE

BaseScore

6.5

VectorString

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Version

3.1

UserInteraction

NONE

CvssV2 impact

Version

2.0

VectorString

AV:A/AC:L/Au:N/C:N/I:P/A:N

AccessVector

ADJACENT_NETWORK

AccessComplexity

LOW

Authentication

NONE

ConfidentialityImpact

NONE

IntegrityImpact

PARTIAL

AvailabilityImpact

NONE

BaseScore

3.299999952316284

Created by Yello
About Severity.io