|CERT-In Vulnerability Note
Multiple Vulnerabilities in Cisco Nexus Dashboard
Original Issue Date:July 22, 2022
Severity Rating: HIGH
- Cisco Nexus Dashboard versions 1.1, 2.0, 2.1 and 2.2
Multiple vulnerabilities have been reported in Cisco Nexus Dashboard which could be exploited by a remote attacker to execute arbitrary code, bypass security restrictions and perform cross-site request forgery attack on the targeted system.
1. Arbitrary Command Execution Vulnerability
This vulnerability exists in Cisco Nexus Dashboard due to missing authentication for a critical function in an API that is running in the data network. A remote attacker could exploit this vulnerability by sending a crafted HTTP requests to the affected API.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the targeted system.
2. Security Bypass Vulnerability
This vulnerability exists in Cisco Nexus Dashboard due to improper access controls for a service that manages container images. A remote attacker could exploit this vulnerability by opening a TCP connection to the affected service to download container images or upload malicious container images to an affected device.
Successful exploitation of this vulnerability could allow a remote attacker to bypass security restrictions on the targeted system.
3. Cross-Site Request Forgery Vulnerability
This vulnerability exists in Cisco Nexus Dashboard due to improper validation of user-supplied input by the web UI that is running in the management network. A remote attacker could exploit this vulnerability by persuading the victim to open the malicious website.
Successful exploitation of this vulnerability could allow a remote attacker to gain access to administrative privileges to perform cross-site request forgery attacks on the targeted system.
Apply appropriate updates as mentioned by vendor:
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003