CVE-2019-1851 MEDIUM

CVE-2019-1851: Cisco Identity Services Engine Arbitrary Client Certificate Creation Vulnerability

Vendor Cisco
Product Cisco Identity Services Engine Software
Weakness CWE-285
Published May 16, 2019
Last update November 21, 2024

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the Internal Certificate Authority (CA) Services on ISE. This vulnerability is due to an incorrect implementation of role-based access control (RBAC). An attacker could exploit this vulnerability by crafting a specific HTTP request with administrative credentials. A successful exploit could allow the attacker to generate a certificate that is signed and trusted by the ISE CA with arbitrary attributes. The attacker could use this certificate to access other networks or assets that are protected by certificate authentication.

Key dates

02Disclosure timeline

May 16, 2019 CVE published
November 21, 2024 Record updated