VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 8, 2019· Updated Nov 21, 2024

Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read Vulnerability

CVE-2019-1961

Description

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to the improper input validation of tar packages uploaded through the Web Portal to the Image Repository. An attacker could exploit this vulnerability by uploading a crafted tar package and viewing the log entries that are generated. A successful exploit could allow the attacker to read arbitrary files on the underlying OS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated remote attacker can read arbitrary files on Cisco NFVIS by uploading a crafted tar package to the Image Repository via the Web Portal.

Vulnerability

The vulnerability is in the Cisco Enterprise NFV Infrastructure Software (NFVIS) Web Portal when handling tar packages uploaded to the Image Repository. Due to improper input validation, a crafted tar package can lead to arbitrary file read on the underlying OS. Affected versions are earlier than Release 3.10.1. [1]

Exploitation

An attacker must have authenticated access to the NFVIS Web Portal. The attacker uploads a specially crafted tar package, then views the generated log entries, which reveal the contents of arbitrary files. [1]

Impact

Successful exploitation allows the attacker to read arbitrary files on the underlying operating system of the affected device, potentially exposing sensitive information. [1]

Mitigation

Cisco has released software updates in NFVIS Release 3.10.1 to address this vulnerability. There are no workarounds. Customers should upgrade to a fixed release. [1]

References
  1. Cisco Security Advisory: Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read Vulnerability

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.