CVE-2024-20302 - Vulnerability Details - OpenCVE

A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. This vulnerability is due to improper access controls within tenant security. An attacker who is using a valid user account with write privileges and either a Site Manager or Tenant Manager role could exploit this vulnerability. A successful exploit could allow the attacker to modify or delete tenant templates under non-associated tenants, which could disrupt network traffic.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP

History

No history.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2024-04-03T16:21:29.900Z

Updated: 2024-08-01T21:59:42.220Z

Reserved: 2023-11-08T15:08:07.630Z

Link: CVE-2024-20302

Vulnrichment

Updated: 2024-08-01T21:59:42.220Z

NVD

Status : Awaiting Analysis

Published: 2024-04-03T17:15:48.323

Modified: 2024-11-21T08:52:18.023

Link: CVE-2024-20302

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-20302", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2023-11-08T15:08:07.630Z", "datePublished": "2024-04-03T16:21:29.900Z", "dateUpdated": "2024-08-01T21:59:42.220Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2024-04-03T16:21:29.900Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. \r\n \r\nThis vulnerability is due to improper access controls within tenant security. An attacker who is using a valid user account with write privileges and either a Site Manager or Tenant Manager role could exploit this vulnerability. A successful exploit could allow the attacker to modify or delete tenant templates under non-associated tenants, which could disrupt network traffic."}], "affected": [{"vendor": "Cisco", "product": "Cisco Nexus Dashboard Orchestrator", "versions": [{"version": "N/A", "status": "affected"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Access Control", "type": "cwe", "cweId": "CWE-284"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP", "name": "cisco-sa-ndo-upav-YRqsCcSP"}], "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "source": {"advisory": "cisco-sa-ndo-upav-YRqsCcSP", "discovery": "INTERNAL", "defects": ["CSCwi31692"]}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-20302", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-03T17:49:52.049033Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:39:57.558Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:59:42.220Z"}, "title": "CVE Program Container", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP", "name": "cisco-sa-ndo-upav-YRqsCcSP", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP", "name": "cisco-sa-ndo-upav-YRqsCcSP", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:59:42.220Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-20302", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-03T17:49:52.049033Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:21.698Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"source": {"defects": ["CSCwi31692"], "advisory": "cisco-sa-ndo-upav-YRqsCcSP", "discovery": "INTERNAL"}, "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Cisco", "product": "Cisco Nexus Dashboard Orchestrator", "versions": [{"status": "affected", "version": "N/A"}]}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP", "name": "cisco-sa-ndo-upav-YRqsCcSP"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. \r\n \r\nThis vulnerability is due to improper access controls within tenant security. An attacker who is using a valid user account with write privileges and either a Site Manager or Tenant Manager role could exploit this vulnerability. A successful exploit could allow the attacker to modify or delete tenant templates under non-associated tenants, which could disrupt network traffic."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-284", "description": "Improper Access Control"}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2024-04-03T16:21:29.900Z"}}}, "cveMetadata": {"cveId": "CVE-2024-20302", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:59:42.220Z", "dateReserved": "2023-11-08T15:08:07.630Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2024-04-03T16:21:29.900Z", "assignerShortName": "cisco"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. \r\n \r\nThis vulnerability is due to improper access controls within tenant security. An attacker who is using a valid user account with write privileges and either a Site Manager or Tenant Manager role could exploit this vulnerability. A successful exploit could allow the attacker to modify or delete tenant templates under non-associated tenants, which could disrupt network traffic."}, {"lang": "es", "value": "Una vulnerabilidad en la implementaci\u00f3n de seguridad de inquilinos de Cisco Nexus Dashboard Orchestrator (NDO) podr\u00eda permitir que un atacante remoto autenticado modifique o elimine plantillas de inquilinos en un SYSTEM afectado. Esta vulnerabilidad se debe a controles de acceso inadecuados dentro de la seguridad de los inquilinos. Un atacante que utilice una cuenta de usuario v\u00e1lida con privilegios de escritura y una funci\u00f3n de administrador del sitio o administrador de inquilinos podr\u00eda aprovechar esta vulnerabilidad. Un exploit exitoso podr\u00eda permitir al atacante modificar o eliminar plantillas de inquilinos en inquilinos no asociados, lo que podr\u00eda interrumpir el tr\u00e1fico de la red."}], "id": "CVE-2024-20302", "lastModified": "2024-11-21T08:52:18.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2024-04-03T17:15:48.323", "references": [{"source": "ykramarz@cisco.com", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}