ID

VAR-202007-1050


CVE

CVE-2020-3384


TITLE

Cisco Data Center Network Manager Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-008955

DESCRIPTION

A vulnerability in specific REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system with the privileges of the logged-in user. The vulnerability is due to insufficient validation of user-supplied input to the API. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to inject arbitrary commands on the underlying operating system. (DoS) It may be put into a state. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions. The REST API endpoints in Cisco DCNM versions prior to 11.4(1) have a security vulnerability due to the program not properly validating user input

Trust: 1.71

sources: NVD: CVE-2020-3384 // JVNDB: JVNDB-2020-008955 // VULHUB: VHN-181509

AFFECTED PRODUCTS

vendor:ciscomodel:data center network managerscope:ltversion:11.4\(1\)

Trust: 1.0

vendor:ciscomodel:data center network managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-008955 // NVD: CVE-2020-3384

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3384
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3384
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-008955
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202007-1700
value: HIGH

Trust: 0.6

VULHUB: VHN-181509
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3384
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-008955
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181509
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3384
baseSeverity: HIGH
baseScore: 8.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.3
impactScore: 5.3
version: 3.1

Trust: 2.0

NVD: JVNDB-2020-008955
baseSeverity: HIGH
baseScore: 8.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181509 // JVNDB: JVNDB-2020-008955 // CNNVD: CNNVD-202007-1700 // NVD: CVE-2020-3384 // NVD: CVE-2020-3384

PROBLEMTYPE DATA

problemtype:CWE-184

Trust: 1.0

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2020-008955 // NVD: CVE-2020-3384

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1700

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-1700

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008955

PATCH

title:cisco-sa-dcnm-rest-inj-BCt8pwAJurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-rest-inj-BCt8pwAJ

Trust: 0.8

title:Cisco Data Center Network Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=125210

Trust: 0.6

sources: JVNDB: JVNDB-2020-008955 // CNNVD: CNNVD-202007-1700

EXTERNAL IDS

db:NVDid:CVE-2020-3384

Trust: 2.5

db:JVNDBid:JVNDB-2020-008955

Trust: 0.8

db:CNNVDid:CNNVD-202007-1700

Trust: 0.7

db:NSFOCUSid:47811

Trust: 0.6

db:AUSCERTid:ESB-2020.2600

Trust: 0.6

db:CNVDid:CNVD-2020-44064

Trust: 0.1

db:VULHUBid:VHN-181509

Trust: 0.1

sources: VULHUB: VHN-181509 // JVNDB: JVNDB-2020-008955 // CNNVD: CNNVD-202007-1700 // NVD: CVE-2020-3384

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dcnm-rest-inj-bct8pwaj

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-3384

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3384

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.2600/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/47811

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-data-center-network-manager-code-execution-via-rest-api-endpoints-32968

Trust: 0.6

url:https://media.cert.europa.eu/static/securityadvisories/2020/cert-eu-sa2020-039.pdf

Trust: 0.6

sources: VULHUB: VHN-181509 // JVNDB: JVNDB-2020-008955 // CNNVD: CNNVD-202007-1700 // NVD: CVE-2020-3384

SOURCES

db:VULHUBid:VHN-181509
db:JVNDBid:JVNDB-2020-008955
db:CNNVDid:CNNVD-202007-1700
db:NVDid:CVE-2020-3384

LAST UPDATE DATE

2024-08-14T14:03:38.214000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181509date:2020-08-05T00:00:00
db:JVNDBid:JVNDB-2020-008955date:2020-10-08T00:00:00
db:CNNVDid:CNNVD-202007-1700date:2020-08-17T00:00:00
db:NVDid:CVE-2020-3384date:2023-11-07T03:22:39.590

SOURCES RELEASE DATE

db:VULHUBid:VHN-181509date:2020-07-31T00:00:00
db:JVNDBid:JVNDB-2020-008955date:2020-10-08T00:00:00
db:CNNVDid:CNNVD-202007-1700date:2020-07-29T00:00:00
db:NVDid:CVE-2020-3384date:2020-07-31T00:15:13.303