CVE-2019-10689 - OpenCVE

VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:A/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Polycom	Unified Communications Software Better Together Over Ethernet Connector

Configuration 1 [-]

OR	cpe:2.3:a:polycom:better_together_over_ethernet_connector::::::::
	cpe:2.3:a:polycom:unified_communications_software::::::::

References

Link	Resource
http://www.securityfocus.com/bid/108799	Third Party Advisory VDB Entry
https://support.polycom.com/content/dam/polycom-support/global/documentation/insufficient-authentication-leakage-vvx-products.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-24T21:10:20

Updated: 2019-06-24T21:11:17

Reserved: 2019-04-01T00:00:00

Link: CVE-2019-10689

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-06-24T22:15:08.960

Modified: 2019-06-27T17:26:21.897

Link: CVE-2019-10689

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-06-18T00:00:00", "descriptions": [{"lang": "en", "value": "VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-24T21:11:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "108799", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108799"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.polycom.com/content/dam/polycom-support/global/documentation/insufficient-authentication-leakage-vvx-products.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-10689", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "108799", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108799"}, {"name": "https://support.polycom.com/content/dam/polycom-support/global/documentation/insufficient-authentication-leakage-vvx-products.pdf", "refsource": "CONFIRM", "url": "https://support.polycom.com/content/dam/polycom-support/global/documentation/insufficient-authentication-leakage-vvx-products.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-10689", "datePublished": "2019-06-24T21:10:20", "dateReserved": "2019-04-01T00:00:00", "dateUpdated": "2019-06-24T21:11:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:polycom:better_together_over_ethernet_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "327C8311-C854-4D47-B09D-91B0C3DD643D", "versionEndIncluding": "3.9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:polycom:unified_communications_software:*:*:*:*:*:*:*:*", "matchCriteriaId": "3042ADDC-F1B9-42CF-8B0B-2F46AD40F3F8", "versionEndIncluding": "5.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information."}, {"lang": "es", "value": "Los productos VVX que utiliza el software UCS versi\u00f3n 5.9.2 y anteriores, con la aplicaci\u00f3n Better Together over Ethernet Connector (BToE) versi\u00f3n 3.9.1 y anteriores, proporcionan una autenticaci\u00f3n insuficiente entre la aplicaci\u00f3n BToE y el componente de BToE, lo que produce un filtrado de informaci\u00f3n confidencial."}], "id": "CVE-2019-10689", "lastModified": "2019-06-27T17:26:21.897", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-24T22:15:08.960", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/108799"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://support.polycom.com/content/dam/polycom-support/global/documentation/insufficient-authentication-leakage-vvx-products.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}