Cisco Unified Computing System vulnerabilities

CVE-2020-3371 [HIGH] CWE-78 CVE-2020-3371: A vulnerability in the web UI of Cisco Integrated Management Controller (IMC) could allow an authent A vulnerability in the web UI of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary code and execute arbitrary commands at the underlying operating system level. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted commands to

CVE-2020-3504 [LOW] CWE-664 CVE-2020-3504: A vulnerability in the local management (local-mgmt) CLI of Cisco UCS Manager Software could allow a A vulnerability in the local management (local-mgmt) CLI of Cisco UCS Manager Software could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of CLI command parameters. An attacker could exploit this vulnerability by executing specific commands on the

CVE-2020-3241 [MEDIUM] CWE-22 CVE-2020-3241: A vulnerability in the orchestration tasks of Cisco UCS Director could allow an authenticated, remot A vulnerability in the orchestration tasks of Cisco UCS Director could allow an authenticated, remote attacker to perform a path traversal attack on an affected device. The vulnerability is due to insufficient validation of user-supplied input on the web-based management interface. An attacker could exploit this vulnerability by creating a task with sp

CVE-2020-3242 [MEDIUM] CWE-200 CVE-2020-3242: A vulnerability in the REST API of Cisco UCS Director could allow an authenticated, remote attacker A vulnerability in the REST API of Cisco UCS Director could allow an authenticated, remote attacker with administrative privileges to obtain confidential information from an affected device. The vulnerability exists because confidential information is returned as part of an API response. An attacker could exploit this vulnerability by sending a crafted

CVE-2020-3173 [HIGH] CWE-78 CVE-2020-3173: A vulnerability in the local management (local-mgmt) CLI of Cisco UCS Manager Software could allow a A vulnerability in the local management (local-mgmt) CLI of Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) on an affected device. The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by inc

CVE-2020-3172 [HIGH] CWE-20 CVE-2020-3172: A vulnerability in the Cisco Discovery Protocol feature of Cisco FXOS Software and Cisco NX-OS Softw A vulnerability in the Cisco Discovery Protocol feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code as root or cause a denial of service (DoS) condition on an affected device. The vulnerability exists because of insufficiently validated Cisco Discovery Protocol packet headers

CVE-2020-3119 [HIGH] CWE-787 CVE-2020-3119: A vulnerability in the Cisco Discovery Protocol implementation for Cisco NX-OS Software could allow A vulnerability in the Cisco Discovery Protocol implementation for Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability exists because the Cisco Discovery Protocol parser does not properly validate input for certain fields in a Cisco Discovery Protocol

CVE-2019-1966 [HIGH] CWE-264 CVE-2019-1966: A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated privileges as the root user on an affected device. The vulnerability is due to extraneous subcommand options present for a specific CLI command within the loca

CVE-2019-1962 [HIGH] CWE-20 CVE-2019-1962: A vulnerability in the Cisco Fabric Services component of Cisco NX-OS Software could allow an unauth A vulnerability in the Cisco Fabric Services component of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause process crashes, which can result in a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient validation of TCP packets when processed by the Cisco Fabric Services over IP (CFSo

CVE-2019-1963 [MEDIUM] CWE-20 CVE-2019-1963: A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXO A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of Abstract Syntax Notation One (ASN.1)-encoded

CVE-2019-1908 [HIGH] CWE-200 CVE-2019-1908: A vulnerability in the Intelligent Platform Management Interface (IPMI) implementation of Cisco Inte A vulnerability in the Intelligent Platform Management Interface (IPMI) implementation of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to view sensitive system information. The vulnerability is due to insufficient security restrictions imposed by the affected software. A successful exploit could allow the

CVE-2019-1900 [HIGH] CWE-476 CVE-2019-1900: A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an una A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to cause the web server process to crash, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient validation of user-supplied input on the web interface. An attacker could e

CVE-2019-1885 [HIGH] CWE-78 CVE-2019-1885: A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulner

CVE-2019-1907 [HIGH] CWE-285 CVE-2019-1907: A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an aut A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to set sensitive configuration values and gain elevated privileges. The vulnerability is due to improper handling of substring comparison operations that are performed by the affected software. An attacker could exploit this vu

CVE-2019-1871 [HIGH] CWE-119 CVE-2019-1871: A vulnerability in the Import Cisco IMC configuration utility of Cisco Integrated Management Control A vulnerability in the Import Cisco IMC configuration utility of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition and implement arbitrary commands with root privileges on an affected device. The vulnerability is due to improper bounds checking by the import-config pro

CVE-2019-1632 [HIGH] CWE-352 CVE-2019-1632: A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of

CVE-2019-1627 [MEDIUM] CWE-78 CVE-2019-1627: A vulnerability in the Server Utilities of Cisco Integrated Management Controller (IMC) could allow A vulnerability in the Server Utilities of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to gain unauthorized access to sensitive user information from the configuration data that is stored on the affected system. The vulnerability is due to insufficient protection of data in the configuration file. An attack

CVE-2019-1628 [MEDIUM] CWE-191 CVE-2019-1628: A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an aut A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to cause a buffer overflow, resulting in a denial of service (DoS) condition on an affected device. The vulnerability is due to incorrect bounds checking. An attacker could exploit this vulnerability by sending a crafted HTTP

CVE-2019-1630 [MEDIUM] CWE-119 CVE-2019-1630: A vulnerability in the firmware signature checking program of Cisco Integrated Management Controller A vulnerability in the firmware signature checking program of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to cause a buffer overflow, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient checking of an input buffer. An attacker could exploit this vulnerability by passi

CVE-2019-1879 [MEDIUM] CWE-78 CVE-2019-1879: A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authentica A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploit this vulnerability by authenticating with the admini