Information disclosure in Cisco UCS Director

#VU29145 Information disclosure in Cisco UCS Director

Published: 2020-06-18

Vulnerability identifier: #VU29145

Vulnerability risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3242

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco UCS Director
Server applications / Other server solutions

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to confidential information is returned as part of an API response. A remote administrator can send a specially crafted request and obtain the API key of another user, allowing him to impersonate the account of that user on the affected device

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cisco UCS Director: 5.4.0.0 - 6.7.3.1

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-info-disclosure-gSMU8EKT

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data