From ddd18db4cdc57617f9f31c5e8f8e026cb3876e68 Mon Sep 17 00:00:00 2001 From: santosomar Date: Wed, 18 Nov 2020 17:31:55 +0000 Subject: [PATCH] Adding Cisco CVE-2020-26072 --- 2020/26xxx/CVE-2020-26072.json | 82 +++++++++++++++++++++++++++++++--- 1 file changed, 75 insertions(+), 7 deletions(-) diff --git a/2020/26xxx/CVE-2020-26072.json b/2020/26xxx/CVE-2020-26072.json index 13bde4dd09e..31fdcc7d8cc 100644 --- a/2020/26xxx/CVE-2020-26072.json +++ b/2020/26xxx/CVE-2020-26072.json @@ -1,18 +1,86 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "psirt@cisco.com", + "DATE_PUBLIC": "2020-11-18T16:00:00", "ID": "CVE-2020-26072", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Cisco IoT Field Network Director (IoT-FND) ", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "Cisco" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": " A vulnerability in the SOAP API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to access and modify information on devices that belong to a different domain. The vulnerability is due to insufficient authorization in the SOAP API. An attacker could exploit this vulnerability by sending SOAP API requests to affected devices for devices that are outside their authorized domain. A successful exploit could allow the attacker to access and modify information on devices that belong to a different domain. " } ] + }, + "exploit": [ + { + "lang": "eng", + "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. " + } + ], + "impact": { + "cvss": { + "baseScore": "8.7", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N ", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "20201118 Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability", + "refsource": "CISCO", + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR" + } + ] + }, + "source": { + "advisory": "cisco-sa-FND-AUTH-vEypBmmR", + "defect": [ + [ + "CSCvt45167" + ] + ], + "discovery": "INTERNAL" } -} \ No newline at end of file +}