Skip to main content

Nexus Dashboard Fabric Controller CVE-2024-20536

HIGH
SQL Injection (CWE-89)
2024-11-06 psirt@cisco.com
8.8
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (cisco) · only source for this CVE.

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 06, 2024 - 17:15 cve.org
HIGH 8.8

DescriptionCVE.org

A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a specific REST API endpoint or web-based management interface. A successful exploit could allow the attacker to read, modify, or delete arbitrary data on an internal database, which could affect the availability of the device. 

AnalysisAI

A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a specific REST API endpoint or web-based management interface. A successful exploit could allow the attacker to read, modify, or delete arbitrary data on an internal database, which could affect the availability of the device.  Affected products include: Cisco Nexus Dashboard Fabric Controller.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2024-20449 HIGH
8.8 Oct 02

A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with low

CVE-2024-20432 HIGH
8.8 Oct 02

A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticate

CVE-2024-20281 HIGH
8.8 Apr 03

A vulnerability in the web-based management interface of Cisco Nexus Dashboard and Cisco Nexus Dashboard hosted services

CVE-2024-20491 HIGH
8.6 Oct 02

A vulnerability in a logging function of Cisco Nexus Dashboard Insights could allow an attacker with access to a tech su

CVE-2024-20490 HIGH
8.6 Oct 02

A vulnerability in a logging function of Cisco Nexus Dashboard Fabric Controller (NDFC) and Cisco Nexus Dashboard Orches

CVE-2024-20448 HIGH
8.6 Oct 02

A vulnerability in the Cisco Nexus Dashboard Fabric Controller (NDFC) software, formerly Cisco Data Center Network Manag

CVE-2024-20348 HIGH
7.5 Apr 03

A vulnerability in the Out-of-Band (OOB) Plug and Play (PnP) feature of Cisco Nexus Dashboard Fabric Controller (NDFC) c

CVE-2024-20441 MEDIUM
6.5 Oct 02

A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attac

CVE-2024-20444 MEDIUM
5.5 Oct 02

A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC), formerly Cisco Data Center Network Manager (DCNM), co

CVE-2024-20477 MEDIUM
5.4 Oct 02

A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attac

CVE-2024-20442 MEDIUM
5.4 Oct 02

A vulnerability in the REST API endpoints of Cisco Nexus Dashboard could allow an authenticated, low-privileged, remote

CVE-2024-20438 MEDIUM
5.4 Oct 02

A vulnerability in the REST API endpoints of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to

Share

CVE-2024-20536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy