cnvd - cnvd-2020-32907

cnvd-2020-32907

Vulnerability from cnvd

Title

Cisco Application Services Engine访问控制错误漏洞（CNVD-2020-32907）

Description

Cisco Application Services Engine是美国思科（Cisco）公司的一套用于部署Cisco数据中心应用的通用平台。 Cisco Application Services Engine 1.1.2.20之前版本中的API存在访问控制错误漏洞，该漏洞源于未能充分的进行身份验证。远程攻击者可通过发送恶意的HTTP请求利用该漏洞更新事件策略。

Severity

中

Patch Name

Cisco Application Services Engine访问控制错误漏洞（CNVD-2020-32907）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-APIC-EPU-F8y5kUOP

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-3333

Impacted products

Name
Cisco Application Services Engine <1.1.2.20

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-3333"
    }
  },
  "description": "Cisco Application Services Engine\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u90e8\u7f72Cisco\u6570\u636e\u4e2d\u5fc3\u5e94\u7528\u7684\u901a\u7528\u5e73\u53f0\u3002\n\nCisco Application Services Engine 1.1.2.20\u4e4b\u524d\u7248\u672c\u4e2d\u7684API\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u80fd\u5145\u5206\u7684\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u6076\u610f\u7684HTTP\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u66f4\u65b0\u4e8b\u4ef6\u7b56\u7565\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-APIC-EPU-F8y5kUOP",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-32907",
  "openTime": "2020-06-15",
  "patchDescription": "Cisco Application Services Engine\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u90e8\u7f72Cisco\u6570\u636e\u4e2d\u5fc3\u5e94\u7528\u7684\u901a\u7528\u5e73\u53f0\u3002\r\n\r\nCisco Application Services Engine 1.1.2.20\u4e4b\u524d\u7248\u672c\u4e2d\u7684API\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u80fd\u5145\u5206\u7684\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u6076\u610f\u7684HTTP\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u66f4\u65b0\u4e8b\u4ef6\u7b56\u7565\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Application Services Engine\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2020-32907\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Application Services Engine \u003c1.1.2.20"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-3333",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-04",
  "title": "Cisco Application Services Engine\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2020-32907\uff09"
}

CVE-2020-3333 (GCVE-0-2020-3333)

Vulnerability from cvelistv5

Published

2020-06-03 17:56

Modified

2024-11-15 17:10

Severity ?

5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-306

Summary

A vulnerability in the API of Cisco Application Services Engine Software could allow an unauthenticated, remote attacker to update event policies on an affected device. The vulnerability is due to insufficient authentication of users who modify policies on an affected device. An attacker could exploit this vulnerability by crafting a malicious HTTP request to contact an affected device. A successful exploit could allow the attacker to update event policies on the affected device.

References

URL

Tags

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-APIC-EPU-F8y5kUOP

vendor-advisory, x_refsource_CISCO