Cisco NDFC REST API Vulnerability: Limited Network-Admin Functions at Risk

CVE-2024-20438

5.4MEDIUM

Key Information

Vendor: Cisco
Status: Cisco Data Center Network Manager
Vendor: CVE Published:; 2 October 2024

Badges

👾 Exploit Exists

Summary

A vulnerability in the REST API endpoints of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to read or write files on an affected device.

This vulnerability exists because of missing authorization controls on some REST API endpoints. An attacker could exploit this vulnerability by sending crafted API requests to an affected endpoint. A successful exploit could allow the attacker to perform limited network-admin functions such as reading device configuration information, uploading files, and modifying uploaded files. Note: This vulnerability only affects a subset of REST API endpoints and does not affect the web-based management interface.

Affected Version(s)

Cisco Data Center Network Manager = 12.1(1)

Cisco Data Center Network Manager = 12.0.1a

Cisco Data Center Network Manager = 12.0.2d

Refferences

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 2, 2024
Vulnerability Reserved
Nov 8, 2023

Collectors

NVD DatabaseMitre Database