Cisco Nexus Dashboard Fabric Controller Vulnerability Could Allow Arbitrary SQL Commands
CVE-2024-20536

8.8HIGH

Key Information:

Vendor: Cisco
Status: Cisco Data Center Network Manager
Vendor: CVE Published:; 6 November 2024

Badges

👾 Exploit Exists

Summary

A vulnerability exists in the REST API endpoint and the web-based management interface of the Cisco Nexus Dashboard Fabric Controller (NDFC), which could permit authenticated remote attackers with read-only privileges to execute arbitrary SQL commands. This flaw is caused by inadequate validation of user-supplied input, enabling an attacker to exploit this vulnerability by dispatching a specially crafted request to a targeted REST API endpoint or management interface. Successfully exploiting this vulnerability could allow unauthorized access to read, modify, or delete data within the system's internal database, posing significant risks to data integrity and availability.

Affected Version(s)

Cisco Data Center Network Manager 12.1.2e

Cisco Data Center Network Manager 12.1.2p

Cisco Data Center Network Manager 12.1.3b

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Nov 9, 2024
Vulnerability published
Nov 6, 2024