CVE-2020-3329

Summary

CVE	CVE-2020-3329
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-05-06 17:15:00 UTC
Updated	2021-10-26 16:29:00 UTC
Description	A vulnerability in role-based access control of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow a read-only authenticated, remote attacker to disable user accounts on an affected system. The vulnerability is due to incorrect allocation of the enable/disable action button under the role-based access control code on an affected system. An attacker could exploit this vulnerability by authenticating as a read-only user and then updating the roles of other users to disable them. A successful exploit could allow the attacker to disable users, including administrative users.

Risk And Classification

Problem Types: NVD-CWE-Other

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Cisco	Integrated Management Controller Supervisor	All	All	All	All
Application	Cisco	Integrated Management Controller Supervisor	All	All	All	All
Application	Cisco	Ucs Director	All	All	All	All
Application	Cisco	Ucs Director	All	All	All	All
Application	Cisco	Ucs Director Express For Big Data	All	All	All	All
Application	Cisco	Ucs Director Express For Big Data	All	All	All	All

References

Reference	Source	Link	Tags
Cisco IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Role-Based Access Control Vulnerability	CISCO	tools.cisco.com	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.