Details of VAR-202011-1030

ID

VAR-202011-1030

CVE

CVE-2020-3586

TITLE

Cisco DNA Spaces Connector In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-013762

DESCRIPTION

A vulnerability in the web-based management interface of Cisco DNA Spaces Connector could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insufficient validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on the underling operating system with privileges of the web-based management application, which is running as a restricted user. This could result in changes being made to pages served by the web-based management application impacting the integrity or availability of the web-based management application. Cisco DNA Spaces is an indoor positioning service platform of Cisco (Cisco)

Trust: 1.71

sources: NVD: CVE-2020-3586 // JVNDB: JVNDB-2020-013762 // VULHUB: VHN-181711

AFFECTED PRODUCTS

vendor:	cisco	model:	dna spaces\: connector	scope:	lte	version:	2.2	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco dna spaces: connector	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-013762 // NVD: CVE-2020-3586

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3586
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3586
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-3586
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202011-1607
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-181711
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-3586
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-181711
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3586
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3586
baseSeverity:	CRITICAL
baseScore:	9.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.5
version:	3.1
Trust: 1.0
NVD:	CVE-2020-3586
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-181711 // JVNDB: JVNDB-2020-013762 // CNNVD: CNNVD-202011-1607 // NVD: CVE-2020-3586 // NVD: CVE-2020-3586

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181711 // JVNDB: JVNDB-2020-013762 // NVD: CVE-2020-3586

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-1607

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202011-1607

PATCH

title:	cisco-sa-dna-cmd-injection-rrAYzOwc	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dna-cmd-injection-rrAYzOwc	Trust: 0.8
title:	Cisco DNA Spaces Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134332	Trust: 0.6

sources: JVNDB: JVNDB-2020-013762 // CNNVD: CNNVD-202011-1607

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3586	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-013762	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.4103	Trust: 0.6
db:	CNNVD	id:	CNNVD-202011-1607	Trust: 0.6
db:	CNVD	id:	CNVD-2020-66205	Trust: 0.1
db:	VULHUB	id:	VHN-181711	Trust: 0.1

sources: VULHUB: VHN-181711 // JVNDB: JVNDB-2020-013762 // CNNVD: CNNVD-202011-1607 // NVD: CVE-2020-3586

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dna-cmd-injection-rrayzowc	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3586	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2020.4103/	Trust: 0.6

sources: VULHUB: VHN-181711 // JVNDB: JVNDB-2020-013762 // CNNVD: CNNVD-202011-1607 // NVD: CVE-2020-3586

SOURCES

db:	VULHUB	id:	VHN-181711
db:	JVNDB	id:	JVNDB-2020-013762
db:	CNNVD	id:	CNNVD-202011-1607
db:	NVD	id:	CVE-2020-3586

LAST UPDATE DATE

2024-11-23T22:40:51.028000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181711	date:	2020-12-02T00:00:00
db:	JVNDB	id:	JVNDB-2020-013762	date:	2021-07-13T07:56:00
db:	CNNVD	id:	CNNVD-202011-1607	date:	2020-12-03T00:00:00
db:	NVD	id:	CVE-2020-3586	date:	2024-11-21T05:31:21.747

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181711	date:	2020-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-013762	date:	2021-07-13T00:00:00
db:	CNNVD	id:	CNNVD-202011-1607	date:	2020-11-18T00:00:00
db:	NVD	id:	CVE-2020-3586	date:	2020-11-18T19:15:12.837