Back

CVE-2024-20365

Oct. 2, 2024, 5:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Cisco UCS B-Series

Cisco UCS Managed C-Series

Cisco UCS X-Series

Source

ykramarz@cisco.com

Tags

ykramarz@cisco.com
CWE-77
2024-10-02
CVE-2024-20365

CVE-2024-20365 details

Published : Oct. 2, 2024, 5:15 p.m.
Last Modified : Oct. 2, 2024, 5:15 p.m.

Description

A vulnerability in the Redfish API of Cisco UCS B-Series, Cisco UCS Managed C-Series, and Cisco UCS X-Series Servers could allow an authenticated, remote attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root. This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending crafted commands through the Redfish API on an affected device. A successful exploit could allow the attacker to elevate privileges to root.

CVSS Score

1 2 3 4 5 6.5 7 8 9 10

Weakness

Weakness Name Description
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

6.5

Exploitability Score

1.2

Impact Score

5.2

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

References

URL Source
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-redfish-cominj-sbkv5ZZ ykramarz@cisco.com
This website uses the NVD API, but is not approved or certified by it.