{"containers": {"cna": {"affected": [{"product": "Cisco HyperFlex HX-Series ", "vendor": "Cisco", "versions": [{"lessThan": "3.5(2a)", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2019-02-20T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "description": "CWE-345", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-02-22T10:57:01", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20190220 Cisco HyperFlex Arbitrary Statistics Write Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-write"}, {"name": "107100", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/107100"}], "source": {"advisory": "cisco-sa-20190220-hyper-write", "defect": [["CSCvj95590"]], "discovery": "INTERNAL"}, "title": "Cisco HyperFlex Arbitrary Statistics Write Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2019-02-20T16:00:00-0800", "ID": "CVE-2019-1667", "STATE": "PUBLIC", "TITLE": "Cisco HyperFlex Arbitrary Statistics Write Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco HyperFlex HX-Series ", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "3.5(2a)"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "impact": {"cvss": {"baseScore": "4.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N ", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-345"}]}]}, "references": {"reference_data": [{"name": "20190220 Cisco HyperFlex Arbitrary Statistics Write Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-write"}, {"name": "107100", "refsource": "BID", "url": "http://www.securityfocus.com/bid/107100"}]}, "source": {"advisory": "cisco-sa-20190220-hyper-write", "defect": [["CSCvj95590"]], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2019-1667", "datePublished": "2019-02-20T00:00:00", "dateReserved": "2018-12-06T00:00:00", "dateUpdated": "2019-02-22T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:2.6\\(1a\\):*:*:*:*:*:*:*", "matchCriteriaId": "0D56AD98-9D0D-4ECA-8766-4F19A33F954D", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:2.6\\(1b\\):*:*:*:*:*:*:*", "matchCriteriaId": "1CEF2FCB-304F-4BDE-9668-C610ECBC2EBD", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:2.6\\(1d\\):*:*:*:*:*:*:*", "matchCriteriaId": "F4F1BF1D-5DC7-4F8A-BC50-D5ED26D4C015", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:2.6\\(1e\\):*:*:*:*:*:*:*", "matchCriteriaId": "9831733F-FD4F-4603-B5E9-F4C87214E8AA", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\\(1a\\):*:*:*:*:*:*:*", "matchCriteriaId": "FF61D59F-2C04-4210-87C4-9F6C11EEAC7B", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\\(1b\\):*:*:*:*:*:*:*", "matchCriteriaId": "0E56E757-9DDB-49E1-A00A-1EFFB751E3D9", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\\(1c\\):*:*:*:*:*:*:*", "matchCriteriaId": "BD4BC158-9304-4C85-B054-549083B6A7F5", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\\(1d\\):*:*:*:*:*:*:*", "matchCriteriaId": "158B80ED-1BB9-44AE-A321-F313F25062D2", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\\(1e\\):*:*:*:*:*:*:*", "matchCriteriaId": "DB7222C3-1EC3-4B30-A45E-987A995F3E7C", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\\(1h\\):*:*:*:*:*:*:*", "matchCriteriaId": "2976280F-1B13-45A6-93A2-020F1AE86DA1", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.0\\(1i\\):*:*:*:*:*:*:*", "matchCriteriaId": "B14891F1-CA29-4D9A-9733-C654EB225CF8", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:hyperflex_hx_data_platform:3.5\\(1a\\):*:*:*:*:*:*:*", "matchCriteriaId": "7C0D94A1-59E4-4830-B438-C71AD1C19467", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz Graphite del software HyperFlex de Cisco podr\u00eda permitir a un atacante local autenticado escribir datos arbitrarios en la interfaz Graphite. Esta vulnerabilidad se debe a controles de autorizaci\u00f3n insuficientes. Un atacante podr\u00eda explotar esta vulnerabilidad conect\u00e1ndose al servicio Graphite y enviando datos arbitrarios. Un exploit exitoso podr\u00eda permitir al atacante escribir datos arbitrarios en Graphite, lo que podr\u00eda conducir a la existencia de estad\u00edsticas inv\u00e1lidas en la interfaz. Todas las versiones anteriores a la 3.5(2a) se ven afectadas."}], "id": "CVE-2019-1667", "lastModified": "2021-10-28T13:40:21.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "ykramarz@cisco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-21T19:29:00.507", "references": [{"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107100"}, {"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-write"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-345"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}

{}