Sign-up

ID

VAR-202007-1050


CVE

CVE-2020-3384


TITLE

Cisco Data Center Network Manager Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-008955

DESCRIPTION

A vulnerability in specific REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system with the privileges of the logged-in user. The vulnerability is due to insufficient validation of user-supplied input to the API. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to inject arbitrary commands on the underlying operating system. (DoS) It may be put into a state. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions. The REST API endpoints in Cisco DCNM versions prior to 11.4(1) have a security vulnerability due to the program not properly validating user input

Trust: 1.71

sources: NVD: CVE-2020-3384 // JVNDB: JVNDB-2020-008955 // VULHUB: VHN-181509

AFFECTED PRODUCTS

vendor:ciscomodel:data center network managerscope:ltversion:11.4\(1\)

Trust: 1.0

vendor:ciscomodel:data center network managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-008955 // NVD: CVE-2020-3384

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3384
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3384
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-008955
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202007-1700
value: HIGH

Trust: 0.6

VULHUB: VHN-181509
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3384
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-008955
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181509
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3384
baseSeverity: HIGH
baseScore: 8.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.3
impactScore: 5.3
version: 3.1

Trust: 2.0

NVD: JVNDB-2020-008955
baseSeverity: HIGH
baseScore: 8.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181509 // JVNDB: JVNDB-2020-008955 // CNNVD: CNNVD-202007-1700 // NVD: CVE-2020-3384 // NVD: CVE-2020-3384

PROBLEMTYPE DATA

problemtype:CWE-184

Trust: 1.0

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2020-008955 // NVD: CVE-2020-3384

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1700

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-1700

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-008955

PATCH
title:cisco-sa-dcnm-rest-inj-BCt8pwAJurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-rest-inj-BCt8pwAJ
Trust: 0.8
title:Cisco Data Center Network Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=125210
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-008955 // 
            
            
            
            CNNVD: CNNVD-202007-1700

EXTERNAL IDS
db:NVDid:CVE-2020-3384
Trust: 2.5
db:JVNDBid:JVNDB-2020-008955
Trust: 0.8
db:CNNVDid:CNNVD-202007-1700
Trust: 0.7
db:NSFOCUSid:47811
Trust: 0.6
db:AUSCERTid:ESB-2020.2600
Trust: 0.6
db:CNVDid:CNVD-2020-44064
Trust: 0.1
db:VULHUBid:VHN-181509
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181509 // 
            
            
            
            JVNDB: JVNDB-2020-008955 // 
            
            
            
            CNNVD: CNNVD-202007-1700 // 
            
            
            
            NVD: CVE-2020-3384

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dcnm-rest-inj-bct8pwaj
Trust: 2.3
url:https://nvd.nist.gov/vuln/detail/cve-2020-3384
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3384
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.2600/
Trust: 0.6
url:http://www.nsfocus.net/vulndb/47811
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-data-center-network-manager-code-execution-via-rest-api-endpoints-32968
Trust: 0.6
url:https://media.cert.europa.eu/static/securityadvisories/2020/cert-eu-sa2020-039.pdf
Trust: 0.6
sources:
            
            
            VULHUB: VHN-181509 // 
            
            
            
            JVNDB: JVNDB-2020-008955 // 
            
            
            
            CNNVD: CNNVD-202007-1700 // 
            
            
            
            NVD: CVE-2020-3384

SOURCES
db:VULHUBid:VHN-181509
db:JVNDBid:JVNDB-2020-008955
db:CNNVDid:CNNVD-202007-1700
db:NVDid:CVE-2020-3384

LAST UPDATE DATE
2024-08-14T14:03:38.214000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-181509date:2020-08-05T00:00:00
db:JVNDBid:JVNDB-2020-008955date:2020-10-08T00:00:00
db:CNNVDid:CNNVD-202007-1700date:2020-08-17T00:00:00
db:NVDid:CVE-2020-3384date:2023-11-07T03:22:39.590

SOURCES RELEASE DATE
db:VULHUBid:VHN-181509date:2020-07-31T00:00:00
db:JVNDBid:JVNDB-2020-008955date:2020-10-08T00:00:00
db:CNNVDid:CNNVD-202007-1700date:2020-07-29T00:00:00
db:NVDid:CVE-2020-3384date:2020-07-31T00:15:13.303