ID

VAR-202002-0709


CVE

CVE-2020-3112


TITLE

Cisco Data Center Network Manager Vulnerability related to authority management in

Trust: 0.8

sources: JVNDB: JVNDB-2020-002128

DESCRIPTION

A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to elevate privileges on the application. The vulnerability is due to insufficient access control validation. An attacker could exploit this vulnerability by authenticating with a low-privilege account and sending a crafted request to the API. A successful exploit could allow the attacker to interact with the API with administrative privileges. (DoS) It may be put into a state. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

Trust: 1.71

sources: NVD: CVE-2020-3112 // JVNDB: JVNDB-2020-002128 // VULHUB: VHN-181237

AFFECTED PRODUCTS

vendor:ciscomodel:data center network managerscope:ltversion:11.3\(1\)

Trust: 1.0

vendor:ciscomodel:data center network managerscope: - version: -

Trust: 0.8

vendor:ciscomodel:data center network managerscope:eqversion:10.31

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:4.0

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:10.41

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:10.21

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:5.0

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:10.1

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:4.1

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:10.42

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:10.0

Trust: 0.6

vendor:ciscomodel:data center network managerscope:eqversion:4.2

Trust: 0.6

sources: JVNDB: JVNDB-2020-002128 // CNNVD: CNNVD-202002-975 // NVD: CVE-2020-3112

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3112
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3112
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-002128
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202002-975
value: HIGH

Trust: 0.6

VULHUB: VHN-181237
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3112
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-002128
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181237
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3112
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3112
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-002128
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181237 // JVNDB: JVNDB-2020-002128 // CNNVD: CNNVD-202002-975 // NVD: CVE-2020-3112 // NVD: CVE-2020-3112

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.9

problemtype:CWE-264

Trust: 1.0

sources: VULHUB: VHN-181237 // JVNDB: JVNDB-2020-002128 // NVD: CVE-2020-3112

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-975

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-202002-975

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002128

PATCH

title:cisco-sa-20200219-dcnm-priv-escurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-priv-esc

Trust: 0.8

title:Cisco Data Center Network Manager Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110031

Trust: 0.6

sources: JVNDB: JVNDB-2020-002128 // CNNVD: CNNVD-202002-975

EXTERNAL IDS

db:NVDid:CVE-2020-3112

Trust: 2.5

db:JVNDBid:JVNDB-2020-002128

Trust: 0.8

db:CNNVDid:CNNVD-202002-975

Trust: 0.7

db:AUSCERTid:ESB-2020.0621

Trust: 0.6

db:NSFOCUSid:46007

Trust: 0.6

db:CNVDid:CNVD-2020-10705

Trust: 0.1

db:VULHUBid:VHN-181237

Trust: 0.1

sources: VULHUB: VHN-181237 // JVNDB: JVNDB-2020-002128 // CNNVD: CNNVD-202002-975 // NVD: CVE-2020-3112

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200219-dcnm-priv-esc

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-3112

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3112

Trust: 0.8

url:http://www.nsfocus.net/vulndb/46007

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-data-center-network-manager-privilege-escalation-via-rest-api-31636

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0621/

Trust: 0.6

sources: VULHUB: VHN-181237 // JVNDB: JVNDB-2020-002128 // CNNVD: CNNVD-202002-975 // NVD: CVE-2020-3112

SOURCES

db:VULHUBid:VHN-181237
db:JVNDBid:JVNDB-2020-002128
db:CNNVDid:CNNVD-202002-975
db:NVDid:CVE-2020-3112

LAST UPDATE DATE

2024-08-14T14:38:33.910000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181237date:2020-02-24T00:00:00
db:JVNDBid:JVNDB-2020-002128date:2020-03-04T00:00:00
db:CNNVDid:CNNVD-202002-975date:2020-02-28T00:00:00
db:NVDid:CVE-2020-3112date:2020-02-24T16:28:25.490

SOURCES RELEASE DATE

db:VULHUBid:VHN-181237date:2020-02-19T00:00:00
db:JVNDBid:JVNDB-2020-002128date:2020-03-04T00:00:00
db:CNNVDid:CNNVD-202002-975date:2020-02-19T00:00:00
db:NVDid:CVE-2020-3112date:2020-02-19T20:15:14.690