Main Vulnerability Database SB2018050714

SB2018050714 - Remote code execution in Cisco Data Center Network Manager

Published: May 7, 2018

Security Bulletin ID SB2018050714

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2018-0258)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists in the File Upload servlet due to improper input validation of the parameters in the HTTP request and a processing error in the role-based access control (RBAC) of URLs. A remote attacker can upload a specially crafted Java Server Pages (JSP) file to a specific folder using path traversal techniques and then execute that file remotely and execute arbitrary code with the privileges of the SYSTEM user.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-prime-upload