CVE-2020-3247 – Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
https://notcve.org/view.php?id=CVE-2020-3247
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la API REST de Cisco UCS Director y Cisco UCS Director Express para Big Data, pueden permitir a un atacante remoto omitir la autenticación o conducir ataques de salto de directorio sobre un dispositivo afectado. Para mayor información acerca de estas vulnerabilidades, consulte la sección Detalles de este aviso. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco UCS Director. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E https://www.zerodayinitiative.com/advisories/ZDI-20-541 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-3243 – Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
https://notcve.org/view.php?id=CVE-2020-3243
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la API REST de Cisco UCS Director y Cisco UCS Director Express para Big Data, pueden permitir a un atacante remoto omitir la autenticación o conducir ataques de salto de directorio sobre un dispositivo afectado. Para mayor información acerca de estas vulnerabilidades, consulte la sección Detalles de este aviso. This vulnerability allows remote attackers to bypass authentication on affected installations of Cisco UCS Director. • http://packetstormsecurity.com/files/157955/Cisco-UCS-Director-Cloupia-Script-Remote-Code-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E https://www.zerodayinitiative.com/advisories/ZDI-20-540 https://srcincite.io/blog/2020/04/17/strike-three-symlinking-your-way-to-unauthenticated-access-against-cisco-ucs-director.html https://srcincite.io/pocs/src-2020-0014.py.txt • CWE-20: Improper Input Validation CWE-269: Improper Privilege Management •
CVE-2020-3240 – Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
https://notcve.org/view.php?id=CVE-2020-3240
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la API REST de Cisco UCS Director y Cisco UCS Director Express para Big Data, pueden permitir a un atacante remoto omitir la autenticación o conducir ataques de salto de directorio sobre un dispositivo afectado. Para mayor información acerca de estas vulnerabilidades, consulte la sección Detalles de este aviso. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco UCS Director. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E https://www.zerodayinitiative.com/advisories/ZDI-20-542 • CWE-20: Improper Input Validation •
CVE-2020-3239 – Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
https://notcve.org/view.php?id=CVE-2020-3239
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la API REST de Cisco UCS Director y Cisco UCS Director Express para Big Data, pueden permitir a un atacante remoto omitir la autenticación o conducir ataques de salto de directorio sobre un dispositivo afectado. Para mayor información acerca de estas vulnerabilidades, consulte la sección Detalles de este aviso. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco UCS Director. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E https://www.zerodayinitiative.com/advisories/ZDI-20-539 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2019-16003 – Cisco UCS Director Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-16003
A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to download system log files from an affected device. The vulnerability is due to an issue in the authentication logic of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to download log files if they were previously generated by an administrator. Una vulnerabilidad en la interfaz de administración basada en web de Cisco UCS Director, podría permitir a un atacante remoto no autenticado descargar archivos de registro del sistema desde un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ucs-dir-infodis • CWE-306: Missing Authentication for Critical Function •