Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerabilities
On May 15th, Cisco officially issued a security notice stating that three high-risk vulnerabilities (CVE-2019-1821, CVE-2019-1822, CVE-2019-1823) existed in Cisco Prime Infrastructure and Evolved Programmable Network Manager. These vulnerabilities stem from software that does not properly validate and filter user input. An attacker can trigger a malicious file upload to the administrator interface. Success can cause an attacker to execute code with root privileges on the attacked system.
CVSS: 3.0 Base 9.8
AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H/E: X/RL: X/RC: X
Affected version
- Cisco PI Software Releases < 3.4.1
- Cisco PI Software Releases < 3.5
- Cisco PI Software Releases < 3.6
- EPN Manager Releases < 3.0.1
Unaffected version
- Cisco PI Software Releases == 3.4.1
- Cisco PI Software Releases == 3.5
- Cisco PI Software Releases == 3.6
- EPN Manager Releases 3.0.1
Solution
Cisco has released the corresponding new version to fix the above vulnerability. Users should update Cisco Prime Infrastructure and Evolved Programmable Network Manager to an unaffected version.
