CVE-2024-20302

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

A

vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. This vulnerability is due to improper access controls within tenant security. An attacker who is using a valid user account with write privileges and either a Site Manager or Tenant Manager role could exploit this vulnerability. A successful exploit could allow the attacker to modify or delete tenant templates under non-associated tenants, which could disrupt network traffic.

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP	Vendor Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:nexus_dashboard_orchestrator:*:*:*:*:*:*:*:*

History

11 Apr 2025, 15:17

Type	Values Removed	Values Added
First Time		Cisco Cisco nexus Dashboard Orchestrator
CPE		cpe:2.3:a:cisco:nexus_dashboard_orchestrator::::::::
References	~~() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP -~~	() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP - Vendor Advisory
CWE		NVD-CWE-noinfo

21 Nov 2024, 08:52

Type	Values Removed	Values Added
References	~~() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP -~~	() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP -

Information

Published : 2024-04-03 17:15

Updated : 2025-04-11 15:17

NVD link : CVE-2024-20302

Mitre link : CVE-2024-20302

CVE.ORG link : CVE-2024-20302

JSON object : View

Products Affected

nexus_dashboard_orchestrator

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2024-20302", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-04-03T17:15:48.323", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndo-upav-YRqsCcSP", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. \r\n \r\nThis vulnerability is due to improper access controls within tenant security. An attacker who is using a valid user account with write privileges and either a Site Manager or Tenant Manager role could exploit this vulnerability. A successful exploit could allow the attacker to modify or delete tenant templates under non-associated tenants, which could disrupt network traffic."}, {"lang": "es", "value": "Una vulnerabilidad en la implementaci\u00f3n de seguridad de inquilinos de Cisco Nexus Dashboard Orchestrator (NDO) podr\u00eda permitir que un atacante remoto autenticado modifique o elimine plantillas de inquilinos en un SYSTEM afectado. Esta vulnerabilidad se debe a controles de acceso inadecuados dentro de la seguridad de los inquilinos. Un atacante que utilice una cuenta de usuario v\u00e1lida con privilegios de escritura y una funci\u00f3n de administrador del sitio o administrador de inquilinos podr\u00eda aprovechar esta vulnerabilidad. Un exploit exitoso podr\u00eda permitir al atacante modificar o eliminar plantillas de inquilinos en inquilinos no asociados, lo que podr\u00eda interrumpir el tr\u00e1fico de la red."}], "lastModified": "2025-04-11T15:17:51.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:nexus_dashboard_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "442BBB07-B6C7-4AAD-8FC8-4BDF30ABC5FA", "versionEndExcluding": "4.2(3e)"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}