CVSS: 9.8EPSS: 9%CPEs: 19EXPL: 0CVE-2020-3240 – Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
https://notcve.org/view.php?id=CVE-2020-3240
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la API REST de Cisco UCS Director y Cisco UCS Director Express para Big Data, pueden permitir a un atacante remoto omitir la autenticación o conducir ataques de salto de directorio sobre un dispositivo afectado. Para mayor información acerca de estas vulnerabilidades, consulte la sección Detalles de este aviso. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco UCS Director. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E https://www.zerodayinitiative.com/advisories/ZDI-20-542 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 90%CPEs: 19EXPL: 0CVE-2020-3239 – Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data
https://notcve.org/view.php?id=CVE-2020-3239
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la API REST de Cisco UCS Director y Cisco UCS Director Express para Big Data, pueden permitir a un atacante remoto omitir la autenticación o conducir ataques de salto de directorio sobre un dispositivo afectado. Para mayor información acerca de estas vulnerabilidades, consulte la sección Detalles de este aviso. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco UCS Director. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E https://www.zerodayinitiative.com/advisories/ZDI-20-539 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 32EXPL: 0CVE-2020-3167 – Cisco FXOS and UCS Manager Software CLI Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3167
A vulnerability in the CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS). The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted arguments to specific commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-ucs-cmdinj • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 22EXPL: 0CVE-2020-3171 – Cisco FXOS and UCS Manager Software Local Management CLI Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3171
A vulnerability in the local management (local-mgmt) CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted arguments to specific commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-ucs-cli-cmdinj • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 119EXPL: 0CVE-2020-3172 – Cisco FXOS and NX-OS Software Cisco Discovery Protocol Arbitrary Code Execution and Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2020-3172
A vulnerability in the Cisco Discovery Protocol feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code as root or cause a denial of service (DoS) condition on an affected device. The vulnerability exists because of insufficiently validated Cisco Discovery Protocol packet headers. An attacker could exploit this vulnerability by sending a crafted Cisco Discovery Protocol packet to a Layer 2-adjacent affected device. A successful exploit could allow the attacker to cause a buffer overflow that could allow the attacker to execute arbitrary code as root or cause a DoS condition on the affected device. Note: Cisco Discovery Protocol is a Layer 2 protocol. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-nxos-cdp • CWE-20: Improper Input Validation •