CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3139 – Cisco Application Policy Infrastructure Controller Out Of Band Management IP Tables Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-3139
26 Jan 2020 — A vulnerability in the out of band (OOB) management interface IP table rule programming for Cisco Application Policy Infrastructure Controller (APIC) could allow an unauthenticated, remote attacker to bypass configured deny entries for specific IP ports. These IP ports would be permitted to the OOB management interface when, in fact, the packets should be dropped. The vulnerability is due to the configuration of specific IP table entries for which there is a programming logic error that results in the IP po... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iptable-bypass-GxW88XjL • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 34EXPL: 0CVE-2019-1890 – Cisco Nexus 9000 Series Fabric Switches ACI Mode Fabric Infrastructure VLAN Unauthorized Access Vulnerability
https://notcve.org/view.php?id=CVE-2019-1890
04 Jul 2019 — A vulnerability in the fabric infrastructure VLAN connection establishment of the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, adjacent attacker to bypass security validations and connect an unauthorized server to the infrastructure VLAN. The vulnerability is due to insufficient security requirements during the Link Layer Discovery Protocol (LLDP) setup phase of the infrastructure VLAN. An attacker could exploit this vulnerability by s... • http://www.securityfocus.com/bid/109052 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2019-1889 – Cisco Application Policy Infrastructure Controller REST API Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1889
04 Jul 2019 — A vulnerability in the REST API for software device management in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an authenticated, remote attacker to escalate privileges to root on an affected device. The vulnerability is due to incomplete validation and error checking for the file path when specific software is uploaded. An attacker could exploit this vulnerability by uploading malicious software using the REST API. A successful exploit could allow an attacker to escalate th... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-ccapic-restapi • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1838 – Cisco Application Policy Infrastructure Controller Web-Based Management Interface Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-1838
03 May 2019 — A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A succ... • http://www.securityfocus.com/bid/108169 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1692 – Cisco Application Policy Infrastructure Controller Web-Based Management Interface Usage Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-1692
03 May 2019 — A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) Software could allow an unauthenticated, remote attacker to access sensitive system usage information. The vulnerability is due to a lack of proper data protection mechanisms for certain components in the underlying Application Centric Infrastructure (ACI). An attacker could exploit this vulnerability by attempting to observe certain network traffic when accessing the APIC. A successful exploit... • http://www.securityfocus.com/bid/108155 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1682 – Cisco Application Policy Infrastructure Controller Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1682
03 May 2019 — A vulnerability in the FUSE filesystem functionality for Cisco Application Policy Infrastructure Controller (APIC) software could allow an authenticated, local attacker to escalate privileges to root on an affected device. The vulnerability is due to insufficient input validation for certain command strings issued on the CLI of the affected device. An attacker with write permissions for files within a readable folder on the device could alter certain definitions in the affected file. A successful exploit co... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-priv-escalation • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1586 – Cisco Application Policy Infrastructure Controller Recoverable Encryption Key Vulnerability
https://notcve.org/view.php?id=CVE-2019-1586
03 May 2019 — A vulnerability in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an unauthenticated, local attacker with physical access to obtain sensitive information from an affected device. The vulnerability is due to insecure removal of cleartext encryption keys stored on local partitions in the hard drive of an affected device. An attacker could exploit this vulnerability by retrieving data from the physical disk on the affected partition(s). A successful exploit could allow the attac... • http://www.securityfocus.com/bid/108158 • CWE-320: Key Management Errors CWE-459: Incomplete Cleanup •
CVSS: 6.5EPSS: 0%CPEs: 100EXPL: 0CVE-2019-1690 – Cisco Application Policy Infrastructure Controller IPv6 Link-Local Address Vulnerability
https://notcve.org/view.php?id=CVE-2019-1690
11 Mar 2019 — A vulnerability in the management interface of Cisco Application Policy Infrastructure Controller (APIC) software could allow an unauthenticated, adjacent attacker to gain unauthorized access on an affected device. The vulnerability is due to a lack of proper access control mechanisms for IPv6 link-local connectivity imposed on the management interface of an affected device. An attacker on the same physical network could exploit this vulnerability by attempting to connect to the IPv6 link-local address on t... • http://www.securityfocus.com/bid/107317 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 38EXPL: 0CVE-2019-1585 – Cisco Nexus 9000 Series Fabric Switches Application-Centric Infrastructure Mode Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1585
06 Mar 2019 — A vulnerability in the controller authorization functionality of Cisco Nexus 9000 Series ACI Mode Switch Software could allow an authenticated, local attacker to escalate standard users with root privilege on an affected device. The vulnerability is due to a misconfiguration of certain sudoers files for the bashroot component on an affected device. An attacker could exploit this vulnerability by authenticating to the affected device with a crafted user ID, which may allow temporary administrative access to ... • http://www.securityfocus.com/bid/107312 • CWE-16: Configuration •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2018-0427
https://notcve.org/view.php?id=CVE-2018-0427
15 Aug 2018 — A vulnerability in the CronJob scheduler API of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to incorrect input validation of user-supplied data. An attacker could exploit this vulnerability by sending a malicious packet. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. Cisco Bug IDs: CSCvi42263. • http://www.securityfocus.com/bid/105106 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •