Back

CVE-2024-20444

Oct. 2, 2024, 5:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Cisco Nexus Dashboard Fabric Controller

Source

ykramarz@cisco.com

Tags

ykramarz@cisco.com
CWE-88
2024-10-02
CVE-2024-20444

CVE-2024-20444 details

Published : Oct. 2, 2024, 5:15 p.m.
Last Modified : Oct. 2, 2024, 5:15 p.m.

Description

A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC), formerly Cisco Data Center Network Manager (DCNM), could allow an authenticated, remote attacker with network-admin privileges to perform a command injection attack against an affected device.   This vulnerability is due to insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted command arguments to a specific REST API endpoint. A successful exploit could allow the attacker to overwrite sensitive files or crash a specific container, which would restart on its own, causing a low-impact denial of service (DoS) condition.

CVSS Score

1 2 3 4 5.5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

Base Score

5.5

Exploitability Score

1.2

Impact Score

4.2

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L

References

URL Source
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-raci-T46k3jnN ykramarz@cisco.com
This website uses the NVD API, but is not approved or certified by it.