ID

VAR-202011-1015


CVE

CVE-2020-3371


TITLE

Cisco Integrated Management Controller  In  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-013358

DESCRIPTION

A vulnerability in the web UI of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary code and execute arbitrary commands at the underlying operating system level. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary commands at the underlying operating system level. Cisco® Integrated Management Controller (IMC) is an integrated management software used for server management and monitoring by Cisco

Trust: 1.71

sources: NVD: CVE-2020-3371 // JVNDB: JVNDB-2020-013358 // VULHUB: VHN-181496

AFFECTED PRODUCTS

vendor:ciscomodel:integrated management controllerscope:ltversion:3.0\(3e\)

Trust: 1.0

vendor:シスコシステムズmodel:cisco integrated management controllerscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-013358 // NVD: CVE-2020-3371

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3371
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3371
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-3371
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202011-299
value: HIGH

Trust: 0.6

VULHUB: VHN-181496
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3371
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-181496
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3371
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3371
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2020-3371
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181496 // JVNDB: JVNDB-2020-013358 // CNNVD: CNNVD-202011-299 // NVD: CVE-2020-3371 // NVD: CVE-2020-3371

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:OS Command injection (CWE-78) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-181496 // JVNDB: JVNDB-2020-013358 // NVD: CVE-2020-3371

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-299

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202011-299

PATCH

title:cisco-sa-CIMC-CIV-pKDBe9x5url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CIMC-CIV-pKDBe9x5

Trust: 0.8

title:Cisco Integrated Management Controller Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134502

Trust: 0.6

sources: JVNDB: JVNDB-2020-013358 // CNNVD: CNNVD-202011-299

EXTERNAL IDS

db:NVDid:CVE-2020-3371

Trust: 2.5

db:JVNDBid:JVNDB-2020-013358

Trust: 0.8

db:AUSCERTid:ESB-2020.3817

Trust: 0.6

db:CNNVDid:CNNVD-202011-299

Trust: 0.6

db:VULHUBid:VHN-181496

Trust: 0.1

sources: VULHUB: VHN-181496 // JVNDB: JVNDB-2020-013358 // CNNVD: CNNVD-202011-299 // NVD: CVE-2020-3371

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cimc-civ-pkdbe9x5

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-3371

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2020.3817/

Trust: 0.6

sources: VULHUB: VHN-181496 // JVNDB: JVNDB-2020-013358 // CNNVD: CNNVD-202011-299 // NVD: CVE-2020-3371

SOURCES

db:VULHUBid:VHN-181496
db:JVNDBid:JVNDB-2020-013358
db:CNNVDid:CNNVD-202011-299
db:NVDid:CVE-2020-3371

LAST UPDATE DATE

2024-08-14T14:11:34.945000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181496date:2020-11-20T00:00:00
db:JVNDBid:JVNDB-2020-013358date:2021-06-28T08:08:00
db:CNNVDid:CNNVD-202011-299date:2020-11-24T00:00:00
db:NVDid:CVE-2020-3371date:2023-11-07T03:22:38.467

SOURCES RELEASE DATE

db:VULHUBid:VHN-181496date:2020-11-06T00:00:00
db:JVNDBid:JVNDB-2020-013358date:2021-06-28T00:00:00
db:CNNVDid:CNNVD-202011-299date:2020-11-04T00:00:00
db:NVDid:CVE-2020-3371date:2020-11-06T19:15:14.347