nvd-json-data-feeds/CVE-2020/CVE-2020-33xx/CVE-2020-3365.json

{
  "id": "CVE-2020-3365",
  "sourceIdentifier": "ykramarz@cisco.com",
  "published": "2020-09-04T03:15:09.917",
  "lastModified": "2020-09-09T20:11:14.097",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the directory permissions of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform a directory traversal attack on a limited set of restricted directories. The vulnerability is due to a flaw in the logic that governs directory permissions. An attacker could exploit this vulnerability by using capabilities that are not controlled by the role-based access control (RBAC) mechanisms of the software. A successful exploit could allow the attacker to overwrite files on an affected device."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en los permisos de directorio de Cisco Enterprise NFV Infrastructure Software (NFVIS) podr\u00eda permitir a un atacante autenticado remoto llevar a cabo un ataque de salto de directorio en un conjunto limitado de directorios restringidos. La vulnerabilidad es debido a un fallo en la l\u00f3gica que gobierna los permisos de directorio. Un atacante podr\u00eda explotar esta vulnerabilidad por medio del uso de capacidades que no est\u00e1n controladas por los mecanismos de control de acceso basado en roles (RBAC) del software. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir a un atacante sobrescribir archivos en un dispositivo afectado"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6
      }
    ],
    "cvssMetricV30": [
      {
        "source": "ykramarz@cisco.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "SINGLE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ]
    },
    {
      "source": "ykramarz@cisco.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cisco:enterprise_network_function_virtualization_infrastructure:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "3.5.1",
              "versionEndIncluding": "4.1.2",
              "matchCriteriaId": "A3233959-3C13-4B83-9234-5823747DE2A6"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-path-emy79OC2",
      "source": "ykramarz@cisco.com",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}