CVE-2024-20385Improper Certificate Validation in Cisco Nexus Dashboard Orchestrator

CWE-295Improper Certificate Validation4 documents4 sources
Severity
5.9MEDIUMNVD
EPSS
0.2%
top 62.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Nexus Dashboard OrchestratorCisco Nexus Dashboard Orchestrator
Timeline
PublishedOct 2

Description

A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an unauthenticated, remote attacker to intercept sensitive information from an affected device. This vulnerability exists because the Cisco NDO Validate Peer Certificate site management feature validates the certificates for Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud Network Controller (CNC), and Cisco Nexus Dashboard only when a new site is added or an existing one

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

NVDcisco/nexus_dashboard_orchestrator4.3.04.4\(1.1009\)+1

🔴Vulnerability Details

2
CVEList
Cisco Nexus Dashboard Orchestrator SSL Certificate Validation Vulnerability2024-10-02
GHSA
GHSA-qqf3-h6hq-fm58: A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an unauthenticated, remote attacker to intercept2024-10-02

📋Vendor Advisories

1
Cisco
Cisco Nexus Dashboard Orchestrator SSL/TLS Certificate Validation Vulnerability2024-10-02
CVE-2024-20385 — Improper Certificate Validation | cvebase