CVE-2024-20365: Cisco Integrated Management Controller Redfish Command Injection Vulnerability
First published: Wed Oct 02 2024(Updated: )
A vulnerability in the Redfish API of Cisco UCS B-Series, Cisco UCS Managed C-Series, and Cisco UCS X-Series Servers could allow an authenticated, remote attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root. This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending crafted commands through the Redfish API on an affected device. A successful exploit could allow the attacker to elevate privileges to root.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Unified Computing System software | =4.1\(2a\) | |
| Cisco Unified Computing System software | =4.1\(2b\) | |
| Cisco Unified Computing System software | =4.1\(2c\) | |
| Cisco Unified Computing System software | =4.1\(3a\) | |
| Cisco Unified Computing System software | =4.1\(3b\) | |
| Cisco Unified Computing System software | =4.1\(3c\) | |
| Cisco Unified Computing System software | =4.1\(3d\) | |
| Cisco Unified Computing System software | =4.1\(3e\) | |
| Cisco Unified Computing System software | =4.1\(3f\) | |
| Cisco Unified Computing System software | =4.1\(3h\) | |
| Cisco Unified Computing System software | =4.1\(3i\) | |
| Cisco Unified Computing System software | =4.1\(3j\) | |
| Cisco Unified Computing System software | =4.1\(3k\) | |
| Cisco Unified Computing System software | =4.1\(3l\) | |
| Cisco Unified Computing System software | =4.1\(3m\) | |
| Cisco Unified Computing System software | =4.1\(4a\) | |
| Cisco Unified Computing System software | =4.2\(1c\) | |
| Cisco Unified Computing System software | =4.2\(1d\) | |
| Cisco Unified Computing System software | =4.2\(1f\) | |
| Cisco Unified Computing System software | =4.2\(1i\) | |
| Cisco Unified Computing System software | =4.2\(1k\) | |
| Cisco Unified Computing System software | =4.2\(1l\) | |
| Cisco Unified Computing System software | =4.2\(1m\) | |
| Cisco Unified Computing System software | =4.2\(1n\) | |
| Cisco Unified Computing System software | =4.2\(2a\) | |
| Cisco Unified Computing System software | =4.2\(2c\) | |
| Cisco Unified Computing System software | =4.2\(2d\) | |
| Cisco Unified Computing System software | =4.2\(2e\) | |
| Cisco Unified Computing System software | =4.2\(3b\) | |
| Cisco Unified Computing System software | =4.2\(3d\) | |
| Cisco Unified Computing System software | =4.2\(3e\) | |
| Cisco Unified Computing System software | =4.2\(3g\) | |
| Cisco Unified Computing System software | =4.2\(3h\) | |
| Cisco Unified Computing System software | =4.2\(3i\) | |
| Cisco Unified Computing System software | =4.2\(3j\) | |
| Cisco Unified Computing System software | =4.2\(3k\) | |
| Cisco Unified Computing System software | =4.3\(2b\) | |
| Cisco Unified Computing System software | =4.3\(2c\) | |
| Cisco Unified Computing System software | =4.3\(2e\) | |
| Cisco Unified Computing System software | =4.3\(3a\) | |
| Cisco Unified Computing System software | =4.3\(3c\) | |
| Cisco Unified Computing System software | =4.3\(4a\) | |
| Cisco Unified Computing System software | =4.3\(4b\) |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-20365?
CVE-2024-20365 is rated as high severity due to its potential for command injection and privilege escalation.
How do I fix CVE-2024-20365?
To mitigate CVE-2024-20365, it is essential to upgrade Cisco Unified Computing System software to the latest recommended version that addresses this vulnerability.
Who is affected by CVE-2024-20365?
CVE-2024-20365 affects authenticated users with administrative privileges on specific Cisco UCS servers utilizing the Redfish API.
What types of attacks can CVE-2024-20365 enable?
CVE-2024-20365 can enable an attacker to perform command injection attacks, potentially leading to full system compromise.
Is there a workaround for CVE-2024-20365?
Currently, there is no documented workaround for CVE-2024-20365, thus updating the software is strongly recommended.
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco unified computing system software
- version/cisco unified computing system software/4.1\(2a\)
- version/cisco unified computing system software/4.1\(2b\)
- version/cisco unified computing system software/4.1\(2c\)
- version/cisco unified computing system software/4.1\(3a\)
- version/cisco unified computing system software/4.1\(3b\)
- version/cisco unified computing system software/4.1\(3c\)
- version/cisco unified computing system software/4.1\(3d\)
- version/cisco unified computing system software/4.1\(3e\)
- version/cisco unified computing system software/4.1\(3f\)
- version/cisco unified computing system software/4.1\(3h\)
- version/cisco unified computing system software/4.1\(3i\)
- version/cisco unified computing system software/4.1\(3j\)
- version/cisco unified computing system software/4.1\(3k\)
- version/cisco unified computing system software/4.1\(3l\)
- version/cisco unified computing system software/4.1\(3m\)
- version/cisco unified computing system software/4.1\(4a\)
- version/cisco unified computing system software/4.2\(1c\)
- version/cisco unified computing system software/4.2\(1d\)
- version/cisco unified computing system software/4.2\(1f\)
- version/cisco unified computing system software/4.2\(1i\)
- version/cisco unified computing system software/4.2\(1k\)
- version/cisco unified computing system software/4.2\(1l\)
- version/cisco unified computing system software/4.2\(1m\)
- version/cisco unified computing system software/4.2\(1n\)
- version/cisco unified computing system software/4.2\(2a\)
- version/cisco unified computing system software/4.2\(2c\)
- version/cisco unified computing system software/4.2\(2d\)
- version/cisco unified computing system software/4.2\(2e\)
- version/cisco unified computing system software/4.2\(3b\)
- version/cisco unified computing system software/4.2\(3d\)
- version/cisco unified computing system software/4.2\(3e\)
- version/cisco unified computing system software/4.2\(3g\)
- version/cisco unified computing system software/4.2\(3h\)
- version/cisco unified computing system software/4.2\(3i\)
- version/cisco unified computing system software/4.2\(3j\)
- version/cisco unified computing system software/4.2\(3k\)
- version/cisco unified computing system software/4.3\(2b\)
- version/cisco unified computing system software/4.3\(2c\)
- version/cisco unified computing system software/4.3\(2e\)
- version/cisco unified computing system software/4.3\(3a\)
- version/cisco unified computing system software/4.3\(3c\)
- version/cisco unified computing system software/4.3\(4a\)
- version/cisco unified computing system software/4.3\(4b\)