Cisco Network Services Orchestrator vulnerabilities

CVE-2021-1132 [MEDIUM] CWE-35 CVE-2021-1132: A vulnerability in the API subsystem and in the web-management interface of Cisco Network Servi A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data. This vulnerability exists because the web-management interface and certain HTTP-based APIs do not properly validate user-supplied input. An attacker could exploit

CVE-2022-20655 [HIGH] CWE-78 CVE-2022-20655: A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an au A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient validation of a process argument on an affected device. An attacker could exploit this vulnerability by injecting commands during the execution of

CVE-2024-20381 [HIGH] CWE-285 CVE-2024-20381: A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator (NSO) a A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator (NSO) and ConfD that is used by the web-based management interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to modify the configuration of an affected application or device. This

CVE-2024-20326 [HIGH] CWE-78 CVE-2024-20326: A vulnerability in the ConfD CLI and the Cisco Crosswork Network Services Orchestrator CLI could al A vulnerability in the ConfD CLI and the Cisco Crosswork Network Services Orchestrator CLI could allow an authenticated, low-privileged, local attacker to read and write arbitrary files as root on the underlying operating system. This vulnerability is due to improper authorization enforcement when specific CLI commands are used. An attacker could exp

CVE-2024-20389 [HIGH] CWE-266 CVE-2024-20389: A vulnerability in the ConfD CLI and the Cisco Crosswork Network Services Orchestrator CLI could al A vulnerability in the ConfD CLI and the Cisco Crosswork Network Services Orchestrator CLI could allow an authenticated, low-privileged, local attacker to read and write arbitrary files as root on the underlying operating system. This vulnerability is due to improper authorization enforcement when specific CLI commands are used. An attacker could ex

CVE-2024-20366 [HIGH] CWE-73 CVE-2024-20366: A vulnerability in the Tail-f High Availability Cluster Communications (HCC) function pack of Cisco A vulnerability in the Tail-f High Availability Cluster Communications (HCC) function pack of Cisco Crosswork Network Services Orchestrator (NSO) could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability exists because a user-controlled search path is used to locate executable files. An attacker

CVE-2024-20369 [MEDIUM] CWE-601 CVE-2024-20369: A vulnerability in the web-based management interface of Cisco Crosswork Network Services Orchestrat A vulnerability in the web-based management interface of Cisco Crosswork Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of a parameter in an HTTP request. An attacker could exploit this vulnerability by persuading

CVE-2023-20040 [MEDIUM] CWE-23 CVE-2023-20040: A vulnerability in the NETCONF service of Cisco Network Services Orchestrator (NSO) could allow an a A vulnerability in the NETCONF service of Cisco Network Services Orchestrator (NSO) could allow an authenticated, remote attacker to cause a denial of service (DoS) on an affected system that is running as the root user. To exploit this vulnerability, the attacker must be a member of the admin group. This vulnerability exists because user-supplied in

CVE-2020-3362 [MEDIUM] CWE-200 CVE-2020-3362: A vulnerability in the CLI of Cisco Network Services Orchestrator (NSO) could allow an authenticated A vulnerability in the CLI of Cisco Network Services Orchestrator (NSO) could allow an authenticated, local attacker to access confidential information on an affected device. The vulnerability is due to a timing issue in the processing of CLI commands. An attacker could exploit this vulnerability by executing a specific sequence of commands on the CLI

CVE-2018-0463 [HIGH] CWE-264 CVE-2018-0463: A vulnerability in the Cisco Network Plug and Play server component of Cisco Network Services Orches A vulnerability in the Cisco Network Plug and Play server component of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to gain unauthorized access to configuration data that is stored on an affected NSO system. The vulnerability exists because the Network Plug and Play component performs incomplete validation wh