CVE-2019-1907

Published: Aug 21, 2019Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to set sensitive configuration values and gain elevated privileges. The vulnerability is due to improper handling of substring comparison operations that are performed by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker with read-only privileges to gain administrator privileges.

Affected (3)

Products: Cisco: Unified Computing System, Integrated Management Controller Supervisor

2 products

Unified Computing System

Integrated Management Controller Supervisor

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cisco Unified Computing System	Version 4.0(1c)hs3

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Cisco Integrated Management Controller Supervisor	Before 4.0\(4b\)

Configuration C

1 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Cisco Integrated Management Controller Supervisor	Before 4.0\(2f\)

Running on/with	Platform Versions
Cisco Ucs C125 M5	All versions
Cisco Ucs C4200	All versions
Cisco Ucs S3260	All versions

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privescal

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privescal

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.