Cisco Nexus Dashboard Fabric Controller Vulnerability Could Allow Arbitrary SQL Commands

CVE-2024-20536

8.8HIGH

Key Information

Vendor: Cisco
Status: Cisco Data Center Network Manager
Vendor: CVE Published:; 6 November 2024

Badges

👾 Exploit Exists

Summary

A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a specific REST API endpoint or web-based management interface. A successful exploit could allow the attacker to read, modify, or delete arbitrary data on an internal database, which could affect the availability of the device. 

Affected Version(s)

Cisco Data Center Network Manager = 12.1.2e

Cisco Data Center Network Manager = 12.1.2p

Cisco Data Center Network Manager = 12.1.3b

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Nov 9, 2024
Risk change from: null to: 8.8 - (HIGH)
Nov 9, 2024
Vulnerability published.
Nov 6, 2024

Collectors

NVD DatabaseMitre Database