10
CVE-2020-3470
- EPSS 3.2%
- Veröffentlicht 18.11.2020 19:15:12
- Zuletzt bearbeitet 21.11.2024 05:31:08
- Quelle psirt@cisco.com
- Teams Watchlist Login
- Unerledigt Login
Multiple vulnerabilities in the API subsystem of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges. The vulnerabilities are due to improper boundary checks for certain user-supplied input. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the API subsystem of an affected system. When this request is processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying operating system (OS).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cisco ≫ Enterprise Nfv Infrastructure Software Version < 4.4.1
Cisco ≫ Enterprise Network Compute System 5100 Version-
Cisco ≫ Enterprise Network Compute System 5400 Version-
Cisco ≫ Enterprise Network Compute System 5400 Version-
Cisco ≫ Integrated Management Controller Version >= 4.0\(1a\) <= 4.0\(4l\)
Cisco ≫ Integrated Management Controller Version >= 3.0\(1c\) <= 3.0\(4q\)
Cisco ≫ Integrated Management Controller Version >= 4.0\(1a\) <= 4.0\(2l\)
Cisco ≫ Integrated Management Controller Version >= 4.1\(1c\) <= 4.1\(1f\)
Cisco ≫ Integrated Management Controller Version >= 3.0\(1c\) <= 3.0\(4q\)
Cisco ≫ Ucs C22 M3 Version-
Cisco ≫ Ucs C220 M3 Version-
Cisco ≫ Ucs C24 M3 Version-
Cisco ≫ Ucs C240 M3 Version-
Cisco ≫ Ucs C420 M3 Version-
Cisco ≫ Ucs C220 M3 Version-
Cisco ≫ Ucs C24 M3 Version-
Cisco ≫ Ucs C240 M3 Version-
Cisco ≫ Ucs C420 M3 Version-
Cisco ≫ Integrated Management Controller Version < 3.2.11.3
Cisco ≫ Integrated Management Controller Version >= 3.1 <= 4.0\(4l\)
Cisco ≫ Integrated Management Controller Version >= 4.1\(1c\) <= 4.1\(1f\)
Cisco ≫ Integrated Management Controller Version >= 3.0\(1c\) <= 3.0\(4q\)
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.2% | 0.858 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 10 | 10 | 10 |
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
| psirt@cisco.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.