CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3139 – Cisco Application Policy Infrastructure Controller Out Of Band Management IP Tables Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-3139
A vulnerability in the out of band (OOB) management interface IP table rule programming for Cisco Application Policy Infrastructure Controller (APIC) could allow an unauthenticated, remote attacker to bypass configured deny entries for specific IP ports. These IP ports would be permitted to the OOB management interface when, in fact, the packets should be dropped. The vulnerability is due to the configuration of specific IP table entries for which there is a programming logic error that results in the IP port being permitted. An attacker could exploit this vulnerability by sending traffic to the OOB management interface on the targeted device. A successful exploit could allow the attacker to bypass configured IP table rules to drop specific IP port traffic. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iptable-bypass-GxW88XjL • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1889 – Cisco Application Policy Infrastructure Controller REST API Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1889
A vulnerability in the REST API for software device management in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an authenticated, remote attacker to escalate privileges to root on an affected device. The vulnerability is due to incomplete validation and error checking for the file path when specific software is uploaded. An attacker could exploit this vulnerability by uploading malicious software using the REST API. A successful exploit could allow an attacker to escalate their privilege level to root. The attacker would need to have the administrator role on the device. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-ccapic-restapi • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1838 – Cisco Application Policy Infrastructure Controller Web-Based Management Interface Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-1838
A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. This vulnerability has been fixed in software version 14.1(1i). • http://www.securityfocus.com/bid/108169 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1692 – Cisco Application Policy Infrastructure Controller Web-Based Management Interface Usage Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-1692
A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) Software could allow an unauthenticated, remote attacker to access sensitive system usage information. The vulnerability is due to a lack of proper data protection mechanisms for certain components in the underlying Application Centric Infrastructure (ACI). An attacker could exploit this vulnerability by attempting to observe certain network traffic when accessing the APIC. A successful exploit could allow the attacker to access and collect certain tracking data and usage statistics on an affected device. Una vulnerabilidad en la interfaz de administración basada en web del software Cisco Application Policy Infrastructure Controller (APIC) de Cisco, podría permitir que un atacante remoto no identificado acceda a la información confidencial acerca del uso del sistema. • http://www.securityfocus.com/bid/108155 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-info-disc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1682 – Cisco Application Policy Infrastructure Controller Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1682
A vulnerability in the FUSE filesystem functionality for Cisco Application Policy Infrastructure Controller (APIC) software could allow an authenticated, local attacker to escalate privileges to root on an affected device. The vulnerability is due to insufficient input validation for certain command strings issued on the CLI of the affected device. An attacker with write permissions for files within a readable folder on the device could alter certain definitions in the affected file. A successful exploit could allow an attacker to cause the underlying FUSE driver to execute said crafted commands, elevating the attacker's privileges to root on an affected device. Una vulnerabilidad en la funcionalidad del sistema de archivos FUSE (FUSE filesystem) para el software Application Policy Infrastructure Controller (APIC) de Cisco, podría permitir a un atacante local identificado escalar privilegios a root en un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-priv-escalation • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •