CVE-2017-3801

CWE-264 CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGH

EPSS

0.1%

top 84.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Unified Computing System Director

Timeline

PublishedFeb 15

Latest updateMay 13

Description

A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new …

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages2 packages

▶NVDcisco/unified_computing_system_director6.0.0.0, 6.0.0.1+1

▶CVEListV5cisco_ucs_director_versions_6.0.0.0_and_6.0.0.1Cisco UCS Director versions 6.0.0.0 and 6.0.0.1

🔴Vulnerability Details

GHSA

GHSA-f4q6-c8q7-9mcw: A vulnerability in the web-based GUI of Cisco UCS Director 6↗2022-05-13

▶

CVEList

CVE-2017-3801: A vulnerability in the web-based GUI of Cisco UCS Director 6↗2017-02-15

▶

📋Vendor Advisories

Cisco

Cisco UCS Director Privilege Escalation Vulnerability↗2017-02-15

▶