{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-20536", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2023-11-08T15:08:07.693Z", "datePublished": "2024-11-06T16:31:38.476Z", "dateUpdated": "2024-11-09T04:55:53.544Z"}, "containers": {"cna": {"title": "Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability", "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}}], "descriptions": [{"lang": "en", "value": "A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device.\r\n\r\nThis vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a specific REST API endpoint or web-based management interface. A successful exploit could allow the attacker to read, modify, or delete arbitrary data on an internal database, which could affect the availability of the device. "}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-sqli-CyPPAxrL", "name": "cisco-sa-ndfc-sqli-CyPPAxrL"}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "source": {"advisory": "cisco-sa-ndfc-sqli-CyPPAxrL", "discovery": "EXTERNAL", "defects": ["CSCwm50506"]}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "cwe", "cweId": "CWE-89"}]}], "affected": [{"vendor": "Cisco", "product": "Cisco Data Center Network Manager", "versions": [{"version": "12.1.2e", "status": "affected"}, {"version": "12.1.2p", "status": "affected"}, {"version": "12.1.3b", "status": "affected"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2024-11-06T16:31:38.476Z"}}, "adp": [{"affected": [{"vendor": "cisco", "product": "data_center_network_manager", "cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.2e:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "12.1.2e", "status": "affected"}]}, {"vendor": "cisco", "product": "data_center_network_manager", "cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.2p:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "12.1.2p", "status": "affected"}]}, {"vendor": "cisco", "product": "data_center_network_manager", "cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.3b:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "12.1.3b", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-08T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-20536"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-09T04:55:53.544Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-20536", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-06T17:07:51.159359Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.2e:*:*:*:*:*:*:*"], "vendor": "cisco", "product": "data_center_network_manager", "versions": [{"status": "affected", "version": "12.1.2e"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.2p:*:*:*:*:*:*:*"], "vendor": "cisco", "product": "data_center_network_manager", "versions": [{"status": "affected", "version": "12.1.2p"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.3b:*:*:*:*:*:*:*"], "vendor": "cisco", "product": "data_center_network_manager", "versions": [{"status": "affected", "version": "12.1.3b"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T17:18:02.652Z"}}], "cna": {"title": "Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability", "source": {"defects": ["CSCwm50506"], "advisory": "cisco-sa-ndfc-sqli-CyPPAxrL", "discovery": "EXTERNAL"}, "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Cisco", "product": "Cisco Data Center Network Manager", "versions": [{"status": "affected", "version": "12.1.2e"}, {"status": "affected", "version": "12.1.2p"}, {"status": "affected", "version": "12.1.3b"}], "defaultStatus": "unknown"}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-sqli-CyPPAxrL", "name": "cisco-sa-ndfc-sqli-CyPPAxrL"}], "descriptions": [{"lang": "en", "value": "A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device.\r\n\r\nThis vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a specific REST API endpoint or web-based management interface. A successful exploit could allow the attacker to read, modify, or delete arbitrary data on an internal database, which could affect the availability of the device. "}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2024-11-06T16:31:38.476Z"}}}, "cveMetadata": {"cveId": "CVE-2024-20536", "state": "PUBLISHED", "dateUpdated": "2024-11-09T04:55:53.544Z", "dateReserved": "2023-11-08T15:08:07.693Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2024-11-06T16:31:38.476Z", "assignerShortName": "cisco"}, "dataVersion": "5.1"}

{"affected": [{"affectedData": [{"defaultStatus": "unknown", "product": "Cisco Data Center Network Manager", "vendor": "Cisco", "versions": [{"status": "affected", "version": "12.1.2e"}, {"status": "affected", "version": "12.1.2p"}, {"status": "affected", "version": "12.1.3b"}]}], "source": "psirt@cisco.com"}, {"affectedData": [{"cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.2e:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "product": "data_center_network_manager", "vendor": "cisco", "versions": [{"status": "affected", "version": "12.1.2e"}]}, {"cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.2p:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "product": "data_center_network_manager", "vendor": "cisco", "versions": [{"status": "affected", "version": "12.1.2p"}]}, {"cpes": ["cpe:2.3:a:cisco:data_center_network_manager:12.1.3b:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "product": "data_center_network_manager", "vendor": "cisco", "versions": [{"status": "affected", "version": "12.1.3b"}]}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:nexus_dashboard_fabric_controller:12.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "8CA48E2A-4C63-436E-807C-4EDD163781D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:nexus_dashboard_fabric_controller:12.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "51EE96E1-D7D3-4C58-AAA3-7A2C29B4F283", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device.\r\n\r\nThis vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a specific REST API endpoint or web-based management interface. A successful exploit could allow the attacker to read, modify, or delete arbitrary data on an internal database, which could affect the availability of the device. "}, {"lang": "es", "value": "Una vulnerabilidad en un endpoint de API REST y una interfaz de administraci\u00f3n basada en web de Cisco Nexus Dashboard Fabric Controller (NDFC) podr\u00eda permitir que un atacante remoto autenticado con privilegios de solo lectura ejecute comandos SQL arbitrarios en un dispositivo afectado. Esta vulnerabilidad se debe a una validaci\u00f3n insuficiente de la entrada proporcionada por el usuario. Un atacante podr\u00eda aprovechar esta vulnerabilidad enviando una solicitud manipulado a un endpoint de API REST o una interfaz de administraci\u00f3n basada en web espec\u00edficos. Una explotaci\u00f3n exitosa podr\u00eda permitir que el atacante lea, modifique o elimine datos arbitrarios en una base de datos interna, lo que podr\u00eda afectar la disponibilidad del dispositivo."}], "id": "CVE-2024-20536", "lastModified": "2026-06-17T07:07:31.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@cisco.com", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2024-20536", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2024-11-08T00:00:00+00:00", "version": "2.0.3"}}]}, "published": "2024-11-06T17:15:19.140", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-sqli-CyPPAxrL"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "psirt@cisco.com", "type": "Secondary"}]}

{}

{}