CVE & CISA-KEV Catalog

CVE-2019-1840

HIGHEPSS 82th pctl
8.6
CVSS v3
NVD

Description

A vulnerability in the DHCPv6 input packet processor of Cisco Prime Network Registrar could allow an unauthenticated, remote attacker to restart the server and cause a denial of service (DoS) condition on the affected system. The vulnerability is due to incomplete user-supplied input validation when a custom extension attempts to change a DHCPv6 packet received by the application. An attacker could exploit this vulnerability by sending malformed DHCPv6 packets to the application. An exploit could allow the attacker to trigger a restart of the service which, if exploited repeatedly, might lead to a DoS condition. This vulnerability can only be exploited if the administrator of the server has previously installed custom extensions that attempt to modify the packet details before the packet has been processed. Note: Although the CVSS score matches a High SIR, this has been lowered to Medium because this condition will only affect an application that has customer-developed extensions that will attempt to modify packet parameters before the packet has been completely sanitized. If packet modification in a custom extension happens after the packet has been sanitized, the application will not be affected by this vulnerability. Software versions prior to 8.3(7) and 9.1(2) are affected.

How to fix

Remediation Available
prime network registrarNVD
Affected:>= 9.0, < 9.1.2Fixed in:9.1.2CVE-2019-1840derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeChanged

Impact

ConfidentialityNone
IntegrityNone
AvailabilityHigh

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Exploit Intelligence

2.44%probability of exploitation in 30 days
82ndpercentile

Elevated risk: more likely to be exploited than 82% of all known CVEs.

References

Vendor Advisory1
Third-Party Advisory1
Embed a live status badge for CVE-2019-1840
CVE-2019-1840 severity badge

Markdown

[![CVE-2019-1840](https://tridentstack.com/cve/badge/CVE-2019-1840.svg)](https://tridentstack.com/cve/CVE-2019-1840)

HTML

<a href="https://tridentstack.com/cve/CVE-2019-1840"><img src="https://tridentstack.com/cve/badge/CVE-2019-1840.svg" alt="CVE-2019-1840"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.