Arbitrary Code Execution Vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC)
CVE-2024-20449

8.8HIGH

Key Information:

Vendor: Cisco
Status: Cisco Data Center Network Manager
Vendor: CVE Published:; 2 October 2024

Summary

A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) allows authenticated remote attackers with low privileges to execute arbitrary code on affected devices. This security issue is attributed to improper path validation, enabling exploitation through the Secure Copy Protocol (SCP). By leveraging path traversal techniques, an attacker can upload malicious code to the targeted device. Successfully exploiting this vulnerability may allow the attacker to execute arbitrary code in a specific container, operating with root privileges.

Affected Version(s)

Cisco Data Center Network Manager 12.1(1)

Cisco Data Center Network Manager 12.0.1a

Cisco Data Center Network Manager 12.0.2d

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 2, 2024
Vulnerability Reserved
Nov 8, 2023