CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3139 – Cisco Application Policy Infrastructure Controller Out Of Band Management IP Tables Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-3139
A vulnerability in the out of band (OOB) management interface IP table rule programming for Cisco Application Policy Infrastructure Controller (APIC) could allow an unauthenticated, remote attacker to bypass configured deny entries for specific IP ports. These IP ports would be permitted to the OOB management interface when, in fact, the packets should be dropped. The vulnerability is due to the configuration of specific IP table entries for which there is a programming logic error that results in the IP port being permitted. An attacker could exploit this vulnerability by sending traffic to the OOB management interface on the targeted device. A successful exploit could allow the attacker to bypass configured IP table rules to drop specific IP port traffic. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iptable-bypass-GxW88XjL • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1692 – Cisco Application Policy Infrastructure Controller Web-Based Management Interface Usage Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-1692
A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) Software could allow an unauthenticated, remote attacker to access sensitive system usage information. The vulnerability is due to a lack of proper data protection mechanisms for certain components in the underlying Application Centric Infrastructure (ACI). An attacker could exploit this vulnerability by attempting to observe certain network traffic when accessing the APIC. A successful exploit could allow the attacker to access and collect certain tracking data and usage statistics on an affected device. Una vulnerabilidad en la interfaz de administración basada en web del software Cisco Application Policy Infrastructure Controller (APIC) de Cisco, podría permitir que un atacante remoto no identificado acceda a la información confidencial acerca del uso del sistema. • http://www.securityfocus.com/bid/108155 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-info-disc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1682 – Cisco Application Policy Infrastructure Controller Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1682
A vulnerability in the FUSE filesystem functionality for Cisco Application Policy Infrastructure Controller (APIC) software could allow an authenticated, local attacker to escalate privileges to root on an affected device. The vulnerability is due to insufficient input validation for certain command strings issued on the CLI of the affected device. An attacker with write permissions for files within a readable folder on the device could alter certain definitions in the affected file. A successful exploit could allow an attacker to cause the underlying FUSE driver to execute said crafted commands, elevating the attacker's privileges to root on an affected device. Una vulnerabilidad en la funcionalidad del sistema de archivos FUSE (FUSE filesystem) para el software Application Policy Infrastructure Controller (APIC) de Cisco, podría permitir a un atacante local identificado escalar privilegios a root en un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-priv-escalation • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 100EXPL: 0CVE-2019-1690 – Cisco Application Policy Infrastructure Controller IPv6 Link-Local Address Vulnerability
https://notcve.org/view.php?id=CVE-2019-1690
A vulnerability in the management interface of Cisco Application Policy Infrastructure Controller (APIC) software could allow an unauthenticated, adjacent attacker to gain unauthorized access on an affected device. The vulnerability is due to a lack of proper access control mechanisms for IPv6 link-local connectivity imposed on the management interface of an affected device. An attacker on the same physical network could exploit this vulnerability by attempting to connect to the IPv6 link-local address on the affected device. A successful exploit could allow the attacker to bypass default access control restrictions on an affected device. Cisco Application Policy Infrastructure Controller (APIC) devices running versions prior to 4.2(0.21c) are affected. • http://www.securityfocus.com/bid/107317 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-apic-ipv6 • CWE-284: Improper Access Control •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12352
https://notcve.org/view.php?id=CVE-2017-12352
A vulnerability in certain system script files that are installed at boot time on Cisco Application Policy Infrastructure Controllers could allow an authenticated, local attacker to gain elevated privileges and execute arbitrary commands with root privileges on an affected host operating system. The vulnerability is due to insufficient validation of user-controlled input that is supplied to certain script files of an affected system. An attacker could exploit this vulnerability by submitting crafted input to a script file on an affected system. A successful exploit could allow the attacker to gain elevated privileges and execute arbitrary commands with root privileges on the affected system. To exploit this vulnerability, the attacker would need to authenticate to the affected system by using valid administrator credentials. • http://www.securityfocus.com/bid/101993 http://www.securitytracker.com/id/1039925 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-apic • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •