Privilege Escalation Vulnerability in Cisco UCS Director by Cisco Systems
CVE-2017-3801

8.8HIGH

Key Information:

Vendor
Cisco
Status
Cisco Ucs Director Versions 6.0.0.0 And 6.0.0.1
Vendor
CVE Published:
15 February 2017

Summary

A vulnerability exists in the web-based GUI of Cisco UCS Director, which could be exploited by an authenticated local attacker. This flaw arises from improper role-based access control (RBAC) after enabling the Developer Menu. By activating Developer Mode in an end-user profile, the attacker can create new catalogs containing arbitrary workflow items, enabling them to execute any listed actions. Such actions could potentially affect other tenants within the system, posing significant risks to overall system integrity.

Affected Version(s)

Cisco UCS Director 6.0.0.0 and 6.0.0.1 Cisco UCS Director versions 6.0.0.0 and 6.0.0.1

References

http://www.securitytracker.com/id/1037830
vdb-entryx_refsource_SECTRACK
https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/96235
vdb-entryx_refsource_BID

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.