Main Vulnerability Database SB2020062318

SB2020062318 - Path traversal in Cisco Enterprise NFV Infrastructure Software

Published: June 23, 2020

Security Bulletin ID SB2020062318

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2020-3236)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the CLI command arguments. A local user can send a specially crafted HTTP request, gain root shell access to the underlying operating system and overwrite or read arbitrary files on an affected device.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-ptrav-SHMzzwVR