CVE-2019-19631

Name of the Vulnerable Software and Affected Versions Big Switch Big Monitoring Fabric versions 6.2 through 6.2.4 Big Switch Big Monitoring Fabric versions 6.3 through 6.3.9 Big Switch Big Monitoring Fabric versions 7.0 through 7.0.3 Big Switch Big Monitoring Fabric versions 7.1 through 7.1.3 Big Cloud Fabric versions 4.5 through 4.5.5 Big Cloud Fabric versions 4.7 through 4.7.7 Big Cloud Fabric versions 5.0 through 5.0.1 Big Cloud Fabric versions 5.1 through 5.1.4 Multi-Cloud Director versions through 1.1.0

Description A read-only user can access sensitive information via an API endpoint that reveals session cookies of authenticated administrators, leading to privilege escalation.

Recommendations For Big Switch Big Monitoring Fabric versions 6.2 through 6.2.4, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 6.3 through 6.3.9, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 7.0 through 7.0.3, update to a version outside of this range to mitigate the risk. For Big Switch Big Monitoring Fabric versions 7.1 through 7.1.3, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 4.5 through 4.5.5, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 4.7 through 4.7.7, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 5.0 through 5.0.1, update to a version outside of this range to mitigate the risk. For Big Cloud Fabric versions 5.1 through 5.1.4, update to a version outside of this range to mitigate the risk. For Multi-Cloud Director versions through 1.1.0, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the API endpoint that reveals session cookies of authenticated administrators until a patch is available.