Detections
Analytics
Cisco Data Center Network Manager Multiple Vulnerabilities (Aug 2020)
medium Nessus Plugin ID 139805
Language:
Synopsis
The remote device is missing a vendor-supplied security patchDescription
According to its self-reported version, Cisco Data Center Network Manager is affected by multiple vulnerabilities.- A vulnerability in a specific REST API of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device.
(CVE-2020-3521)
- A vulnerability in a certain REST API endpoint of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to perform a path traversal attack on an affected device. (CVE-2020-3538)
- A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. (CVE-2020-3539)
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Solution
Upgrade to the relevant fixed version referenced in Cisco bug ID's CSCvt86742, CSCvu57876, CSCvu28388See Also
http://www.nessus.org/u?8aa2e927
http://www.nessus.org/u?981ac19e
http://www.nessus.org/u?eecca8d6
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt86742
Plugin Details
Severity: Medium
ID: 139805
File Name: cisco-sa-dcnm-20200819.nasl
Version: 1.3
Type: combined
Family: CISCO
Published: 8/25/2020
Updated: 8/31/2020
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4
Temporal Score: 3
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS Score Source: CVE-2020-3521
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:cisco:data_center_network_manager
Required KB Items: installed_sw/Cisco Prime DCNM, installed_sw/cisco_dcnm_web
Exploit Ease: No known exploits are available
Patch Publication Date: 8/19/2020
Vulnerability Publication Date: 8/19/2020
Reference Information
CVE: CVE-2020-3521, CVE-2020-3538, CVE-2020-3539
CISCO-SA: cisco-sa-dcnm-authbypass-YVJzqgk2, cisco-sa-dcnm-file-path-6PKONjHe, cisco-sa-dcnm-pa-trav-bMdfSTTq
IAVA: 2020-A-0279
CISCO-BUG-ID: CSCvt86742, CSCvu28388, CSCvu57876