Details of VAR-202009-1162

ID

VAR-202009-1162

CVE

CVE-2020-3478

TITLE

Cisco Enterprise NFV Infrastructure Software Input confirmation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-010749

DESCRIPTION

A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to overwrite certain files that should be restricted on an affected device. The vulnerability is due to insufficient authorization enforcement on an affected system. An attacker could exploit this vulnerability by uploading a file using the REST API. A successful exploit could allow an attacker to overwrite and upload files, which could degrade the functionality of the affected system. Cisco Enterprise NFV Infrastructure Software (NFVIS) Is vulnerable to input validation.Information is tampered with and denial of service (DoS) It may be put into a state. The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller

Trust: 1.71

sources: NVD: CVE-2020-3478 // JVNDB: JVNDB-2020-010749 // VULHUB: VHN-181603

AFFECTED PRODUCTS

vendor:	cisco	model:	enterprise network function virtualization infrastructure	scope:	lte	version:	4.1.2	Trust: 1.0
vendor:	cisco	model:	enterprise network function virtualization infrastructure	scope:	gte	version:	3.5.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco enterprise network functions virtualization infrastructure software	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco enterprise network functions virtualization infrastructure software	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-010749 // NVD: CVE-2020-3478

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3478
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3478
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-3478
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202009-130
value:	HIGH
Trust: 0.6
VULHUB:	VHN-181603
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3478
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-181603
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3478
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 2.0
NVD:	CVE-2020-3478
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-181603 // JVNDB: JVNDB-2020-010749 // CNNVD: CNNVD-202009-130 // NVD: CVE-2020-3478 // NVD: CVE-2020-3478

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.1
problemtype:	Incorrect input confirmation (CWE-20) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181603 // JVNDB: JVNDB-2020-010749 // NVD: CVE-2020-3478

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-130

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202009-130

PATCH

title:

cisco-sa-nfvis-file-overwrite-UONzPMkr

url:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-file-overwrite-UONzPMkr

Trust: 0.8

sources: JVNDB: JVNDB-2020-010749

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3478	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-010749	Trust: 0.8
db:	CNNVD	id:	CNNVD-202009-130	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3034	Trust: 0.6
db:	NSFOCUS	id:	49094	Trust: 0.6
db:	CNVD	id:	CNVD-2020-51770	Trust: 0.1
db:	VULHUB	id:	VHN-181603	Trust: 0.1

sources: VULHUB: VHN-181603 // JVNDB: JVNDB-2020-010749 // CNNVD: CNNVD-202009-130 // NVD: CVE-2020-3478

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-nfvis-file-overwrite-uonzpmkr	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3478	Trust: 1.4
url:	https://media.cert.europa.eu/static/securityadvisories/2020/cert-eu-sa2020-043.pdf	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/49094	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3034/	Trust: 0.6

sources: VULHUB: VHN-181603 // JVNDB: JVNDB-2020-010749 // CNNVD: CNNVD-202009-130 // NVD: CVE-2020-3478

SOURCES

db:	VULHUB	id:	VHN-181603
db:	JVNDB	id:	JVNDB-2020-010749
db:	CNNVD	id:	CNNVD-202009-130
db:	NVD	id:	CVE-2020-3478

LAST UPDATE DATE

2024-08-14T14:38:19.417000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181603	date:	2021-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-010749	date:	2021-02-03T02:26:00
db:	CNNVD	id:	CNNVD-202009-130	date:	2020-10-22T00:00:00
db:	NVD	id:	CVE-2020-3478	date:	2023-11-07T03:22:46.863

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181603	date:	2020-09-04T00:00:00
db:	JVNDB	id:	JVNDB-2020-010749	date:	2021-02-03T00:00:00
db:	CNNVD	id:	CNNVD-202009-130	date:	2020-09-02T00:00:00
db:	NVD	id:	CVE-2020-3478	date:	2020-09-04T03:15:10.387