ID

VAR-202007-1052


CVE

CVE-2020-3386


TITLE

Cisco Data Center Network Manager Unauthorized authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-008956

DESCRIPTION

A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device. The vulnerability is due to insufficient authorization of certain API functions. An attacker could exploit this vulnerability by sending a crafted request to the API using low-privileged credentials. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges. Cisco Data Center Network Manager (DCNM) Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

Trust: 1.71

sources: NVD: CVE-2020-3386 // JVNDB: JVNDB-2020-008956 // VULHUB: VHN-181511

AFFECTED PRODUCTS

vendor:ciscomodel:data center network managerscope:ltversion:11.4\(1\)

Trust: 1.0

vendor:ciscomodel:data center network managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-008956 // NVD: CVE-2020-3386

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3386
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3386
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-008956
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202007-1695
value: HIGH

Trust: 0.6

VULHUB: VHN-181511
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3386
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-008956
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181511
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3386
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3386
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-008956
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181511 // JVNDB: JVNDB-2020-008956 // CNNVD: CNNVD-202007-1695 // NVD: CVE-2020-3386 // NVD: CVE-2020-3386

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.9

problemtype:CWE-285

Trust: 1.0

sources: VULHUB: VHN-181511 // JVNDB: JVNDB-2020-008956 // NVD: CVE-2020-3386

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1695

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202007-1695

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008956

PATCH

title:cisco-sa-dcnm-improper-auth-7Krd9TDTurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-improper-auth-7Krd9TDT

Trust: 0.8

title:Cisco Data Center Network Manager Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=125205

Trust: 0.6

sources: JVNDB: JVNDB-2020-008956 // CNNVD: CNNVD-202007-1695

EXTERNAL IDS

db:NVDid:CVE-2020-3386

Trust: 2.5

db:JVNDBid:JVNDB-2020-008956

Trust: 0.8

db:CNNVDid:CNNVD-202007-1695

Trust: 0.7

db:NSFOCUSid:47817

Trust: 0.6

db:AUSCERTid:ESB-2020.2600

Trust: 0.6

db:CNVDid:CNVD-2020-44066

Trust: 0.1

db:VULHUBid:VHN-181511

Trust: 0.1

sources: VULHUB: VHN-181511 // JVNDB: JVNDB-2020-008956 // CNNVD: CNNVD-202007-1695 // NVD: CVE-2020-3386

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dcnm-improper-auth-7krd9tdt

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-3386

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3386

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.2600/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-data-center-network-manager-privilege-escalation-via-rest-api-32965

Trust: 0.6

url:http://www.nsfocus.net/vulndb/47817

Trust: 0.6

url:https://media.cert.europa.eu/static/securityadvisories/2020/cert-eu-sa2020-039.pdf

Trust: 0.6

sources: VULHUB: VHN-181511 // JVNDB: JVNDB-2020-008956 // CNNVD: CNNVD-202007-1695 // NVD: CVE-2020-3386

SOURCES

db:VULHUBid:VHN-181511
db:JVNDBid:JVNDB-2020-008956
db:CNNVDid:CNNVD-202007-1695
db:NVDid:CVE-2020-3386

LAST UPDATE DATE

2024-08-14T14:03:38.188000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181511date:2020-08-05T00:00:00
db:JVNDBid:JVNDB-2020-008956date:2020-10-08T00:00:00
db:CNNVDid:CNNVD-202007-1695date:2020-08-18T00:00:00
db:NVDid:CVE-2020-3386date:2020-08-05T19:45:32.467

SOURCES RELEASE DATE

db:VULHUBid:VHN-181511date:2020-07-31T00:00:00
db:JVNDBid:JVNDB-2020-008956date:2020-10-08T00:00:00
db:CNNVDid:CNNVD-202007-1695date:2020-07-29T00:00:00
db:NVDid:CVE-2020-3386date:2020-07-31T00:15:13.383