CVE-2024-20438Protection Mechanism Failure in Cisco Nexus Dashboard

CWE-693Protection Mechanism FailureCWE-862Missing AuthorizationCWE-285Improper Authorization4 documents4 sources
Severity
5.4MEDIUMNVD
CNA6.3
EPSS
0.1%
top 65.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cisco Nexus DashboardCisco Nexus Dashboard Fabric ControllerCisco Data Center Network Manager
Timeline
PublishedOct 2

Description

A vulnerability in the REST API endpoints of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to read or write files on an affected device. This vulnerability exists because of missing authorization controls on some REST API endpoints. An attacker could exploit this vulnerability by sending crafted API requests to an affected endpoint. A successful exploit could allow the attacker to perform limited network-admin functions such as reading device configuration information

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

CVEListV5cisco/cisco_data_center_network_manager11 versions+10
NVDcisco/nexus_dashboard< 3.2\(1e\)

🔴Vulnerability Details

2
CVEList
Cisco Nexus Dashboard Fabric Controller Unauthorized REST API Vulnerability2024-10-02
GHSA
GHSA-ghg6-rfg3-53g7: A vulnerability in the REST API endpoints of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to read or write files on an aff2024-10-02

📋Vendor Advisories

1
Cisco
Cisco Nexus Dashboard and Nexus Dashboard Fabric Controller Unauthorized REST API Vulnerabilities2024-10-02
CVE-2024-20438 — Protection Mechanism Failure in Cisco | cvebase