CVE-2022-20860

2022-07-2104:15:10

CWE-295

[email protected]

web.nvd.nist.gov

cisco

nexus dashboard

ssl

tls

vulnerability

remote attacker

communication alteration

sensitive information

nvd

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.8%

JSON

A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to alter communications with associated controllers or view sensitive information. This vulnerability exists because SSL server certificates are not validated when Cisco Nexus Dashboard is establishing a connection to Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud APIC, or Cisco Nexus Dashboard Fabric Controller, formerly Data Center Network Manager (DCNM) controllers. An attacker could exploit this vulnerability by using man-in-the-middle techniques to intercept the traffic between the affected device and the controllers, and then using a crafted certificate to impersonate the controllers. A successful exploit could allow the attacker to alter communications between devices or view sensitive information, including Administrator credentials for these controllers.

Affected configurations

NVD

Node

cisconexus_dashboardRange1.1–2.2\(1h\)

CPENameOperatorVersion
cisco:nexus_dashboardcisco nexus dashboardlt2.2\(1h\)

CPE	Name	Operator	Version
cisco:nexus_dashboard	cisco nexus dashboard	lt	2.2\(1h\)

CNA Affected

[
  {
    "product": "Cisco Nexus Dashboard ",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]