CVE-2020-3362

A vulnerability in the CLI of Cisco Network Services Orchestrator (NSO) could allow an authenticated, local attacker to access confidential information on an affected device. The vulnerability is due to a timing issue in the processing of CLI commands. An attacker could exploit this vulnerability by executing a specific sequence of commands on the CLI. A successful exploit could allow the attacker to read configuration information that would normally be accessible to administrators only.

CVSS v3 4.7 MEDIUM
CVSS v2.0 1.9 LOW

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

1.9^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 3.4 / Impact : 2.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-info-disclosure-WdNvBTNq	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:network_services_orchestrator::::::::
	cpe:2.3:a:cisco:network_services_orchestrator::::::::

History

06 Aug 2021, 18:50

Type	Values Removed	Values Added
CWE	~~CWE-200~~	NVD-CWE-noinfo

Information

Published : 2020-06-18 03:15

Updated : 2024-02-04 21:00

NVD link : CVE-2020-3362

Mitre link : CVE-2020-3362

CVE.ORG link : CVE-2020-3362

JSON object : View

Products Affected

cisco

network_services_orchestrator

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2020-3362", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 1.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.0}, {"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2020-06-18T03:15:14.607", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-info-disclosure-WdNvBTNq", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the CLI of Cisco Network Services Orchestrator (NSO) could allow an authenticated, local attacker to access confidential information on an affected device. The vulnerability is due to a timing issue in the processing of CLI commands. An attacker could exploit this vulnerability by executing a specific sequence of commands on the CLI. A successful exploit could allow the attacker to read configuration information that would normally be accessible to administrators only."}, {"lang": "es", "value": "Una vulnerabilidad en la CLI de Cisco Network Services Orchestrator (NSO), podr\u00eda permitir a un atacante local autenticado acceder a informaci\u00f3n confidencial sobre un dispositivo afectado. La vulnerabilidad es debido a un problema de sincronizaci\u00f3n en el procesamiento de los comandos de la CLI. Un atacante podr\u00eda explotar esta vulnerabilidad al ejecutar una secuencia espec\u00edfica de comandos en la CLI. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante leer la informaci\u00f3n de configuraci\u00f3n que normalmente ser\u00eda accesible solo para administradores"}], "lastModified": "2023-11-07T03:22:38.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EBCE3A91-9C74-4B30-9559-6DEBB45F3E5A", "versionEndExcluding": "4.7.7.3"}, {"criteria": "cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41099C1F-E26C-4B42-8F51-4B6727D54246", "versionEndExcluding": "5.1.4.2", "versionStartIncluding": "5.1.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}