A vulnerability, which was classified as critical, has been found in Cisco Data Center Network Manager. Affected by this issue is an unknown functionality of the component REST API. The manipulation with an unknown input leads to a input validation vulnerability. Using CWE to declare the problem leads to CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Impacted is confidentiality, integrity, and availability. CVE summarizes:

A vulnerability in a specific REST API method of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the API. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.

The weakness was disclosed 08/19/2020 as cisco-sa-dcnm-patrav-pW9RkhyW as confirmed advisory (Website). The advisory is shared for download at tools.cisco.com. This vulnerability is handled as CVE-2020-3519. The attack may be launched remotely. The successful exploitation needs a simple authentication. There are neither technical details nor an exploit publicly available.

Upgrading to version 11.4(1) eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries 160114, 160110 and 160109 are pretty similar.

Productinfo

Vendor

• Cisco

Name

• Data Center Network Manager

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion