Command Injection in Cisco NDFC REST API & UI (CVE-2024-20432)
CVE-2024-20432 Published on October 2, 2024
Cisco Nexus Dashboard Fabric Controller Web UI Command Injection Vulnerability
A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device.
This vulnerability is due to improper user authorization and insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted commands to an affected REST API endpoint or through the web UI. A successful exploit could allow the attacker to execute arbitrary commands on the CLI of a Cisco NDFC-managed device with network-admin privileges.
Note: This vulnerability does not affect Cisco NDFC when it is configured for storage area network (SAN) controller deployment.
Vulnerability Analysis
CVE-2024-20432 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Command Injection Vulnerability?
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVE-2024-20432 has been classified to as a Command Injection vulnerability or weakness.
Products Associated with CVE-2024-20432
Want to know whenever a new CVE is published for Cisco Nexus Dashboard Fabric Controller? stack.watch will email you.
Affected Versions
Cisco Data Center Network Manager:- Version 12.1(1) is affected.
- Version 12.0.1a is affected.
- Version 12.0.2d is affected.
- Version 12.0.2f is affected.
- Version 12.1.1 is affected.
- Version 12.1.1e is affected.
- Version 12.1.1p is affected.
- Version 12.1.2e is affected.
- Version 12.1.2p is affected.
- Version 12.1.3b is affected.
- Version 12.2.1 is affected.
- Version 12.1(1) is affected.
- Version 12.0.1a is affected.
- Version 12.0.2d is affected.
- Version 12.0.2f is affected.
- Version 12.1.1 is affected.
- Version 12.1.1e is affected.
- Version 12.1.1p is affected.
- Version 12.1.2e is affected.
- Version 12.1.2p is affected.
- Version 12.1.3b is affected.
- Version 12.2.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.