ID

VAR-202008-0829


CVE

CVE-2020-3521


TITLE

Cisco Data Center Network Manager Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-010214

DESCRIPTION

A vulnerability in a specific REST API of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the API. An attacker with a low-privileged account could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to read arbitrary files on the affected system. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

Trust: 1.71

sources: NVD: CVE-2020-3521 // JVNDB: JVNDB-2020-010214 // VULHUB: VHN-181646

AFFECTED PRODUCTS

vendor:ciscomodel:data center network managerscope:ltversion:11.4\(1\)

Trust: 1.0

vendor:ciscomodel:data center network managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-010214 // NVD: CVE-2020-3521

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3521
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3521
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-010214
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202008-955
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181646
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3521
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-010214
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181646
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3521
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3521
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.6
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-010214
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181646 // JVNDB: JVNDB-2020-010214 // CNNVD: CNNVD-202008-955 // NVD: CVE-2020-3521 // NVD: CVE-2020-3521

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-181646 // JVNDB: JVNDB-2020-010214 // NVD: CVE-2020-3521

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202008-955

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202008-955

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-010214

PATCH

title:cisco-sa-dcnm-file-path-6PKONjHeurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-file-path-6PKONjHe

Trust: 0.8

title:Cisco Data Center Network Manager Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=126751

Trust: 0.6

sources: JVNDB: JVNDB-2020-010214 // CNNVD: CNNVD-202008-955

EXTERNAL IDS

db:NVDid:CVE-2020-3521

Trust: 2.5

db:JVNDBid:JVNDB-2020-010214

Trust: 0.8

db:CNNVDid:CNNVD-202008-955

Trust: 0.7

db:NSFOCUSid:48725

Trust: 0.6

db:AUSCERTid:ESB-2020.2855

Trust: 0.6

db:CNVDid:CNVD-2020-48218

Trust: 0.1

db:VULHUBid:VHN-181646

Trust: 0.1

sources: VULHUB: VHN-181646 // JVNDB: JVNDB-2020-010214 // CNNVD: CNNVD-202008-955 // NVD: CVE-2020-3521

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dcnm-file-path-6pkonjhe

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-3521

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3521

Trust: 0.8

url:https://vigilance.fr/vulnerability/cisco-data-center-network-manager-directory-traversal-via-rest-api-33112

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2855/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/48725

Trust: 0.6

sources: VULHUB: VHN-181646 // JVNDB: JVNDB-2020-010214 // CNNVD: CNNVD-202008-955 // NVD: CVE-2020-3521

SOURCES

db:VULHUBid:VHN-181646
db:JVNDBid:JVNDB-2020-010214
db:CNNVDid:CNNVD-202008-955
db:NVDid:CVE-2020-3521

LAST UPDATE DATE

2024-08-14T13:24:15.063000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181646date:2021-10-19T00:00:00
db:JVNDBid:JVNDB-2020-010214date:2020-12-28T06:45:38
db:CNNVDid:CNNVD-202008-955date:2020-09-14T00:00:00
db:NVDid:CVE-2020-3521date:2023-11-07T03:22:51.130

SOURCES RELEASE DATE

db:VULHUBid:VHN-181646date:2020-08-26T00:00:00
db:JVNDBid:JVNDB-2020-010214date:2020-12-28T06:45:38
db:CNNVDid:CNNVD-202008-955date:2020-08-19T00:00:00
db:NVDid:CVE-2020-3521date:2020-08-26T17:15:14.833