Vulnerabilities (CVE)

Filtered by vendor Cisco Subscribe
Filtered by product Unified Computing System
Total 108 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-20365 1 Cisco 1 Unified Computing System 2024-10-08 N/A 7.2 HIGH
A vulnerability in the Redfish API of Cisco UCS B-Series, Cisco UCS Managed C-Series, and Cisco UCS X-Series Servers could allow an authenticated, remote attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root. This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending crafted commands through the Redfish API on an affected device. A successful exploit could allow the attacker to elevate privileges to root.
CVE-2021-44228 12 Apache, Apple, Bentley and 9 more 157 Log4j, Xcode, Synchro and 154 more 2024-07-24 9.3 HIGH 10.0 CRITICAL
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CVE-2020-10136 4 Cisco, Digi, Hp and 1 more 63 Nexus 1000v, Nexus 1000ve, Nexus 3016 and 60 more 2024-06-17 5.0 MEDIUM 5.3 MEDIUM
IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to verify network packets before decapsulation and routing.
CVE-2021-34736 1 Cisco 23 Ucs C125 M5, Ucs C220 M3, Ucs C220 M4 and 20 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an unauthenticated, remote attacker to cause the web-based management interface to unexpectedly restart. The vulnerability is due to insufficient input validation on the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to cause the interface to restart, resulting in a denial of service (DoS) condition.
CVE-2021-1592 1 Cisco 3 Unified Computing System, Unified Computing System 64108, Unified Computing System 6454 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
A vulnerability in the way Cisco UCS Manager software handles SSH sessions could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper resource management for established SSH sessions. An attacker could exploit this vulnerability by opening a significant number of SSH sessions on an affected device. A successful exploit could allow the attacker to cause a crash and restart of internal Cisco UCS Manager software processes and a temporary loss of access to the Cisco UCS Manager CLI and web UI. Note: The attacker must have valid user credentials to authenticate to the affected device.
CVE-2021-1590 1 Cisco 103 Nexus 3000, Nexus 3048, Nexus 31108pc-v and 100 more 2024-02-28 4.3 MEDIUM 5.3 MEDIUM
A vulnerability in the implementation of the system login block-for command for Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a login process to unexpectedly restart, causing a denial of service (DoS) condition. This vulnerability is due to a logic error in the implementation of the system login block-for command when an attack is detected and acted upon. An attacker could exploit this vulnerability by performing a brute-force login attack on an affected device. A successful exploit could allow the attacker to cause a login process to reload, which could result in a delay during authentication to the affected device.
CVE-2021-1387 1 Cisco 121 Nexus 3016, Nexus 3016q, Nexus 3048 and 118 more 2024-02-28 4.3 MEDIUM 8.6 HIGH
A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability exists because the software improperly releases resources when it processes certain IPv6 packets that are destined to an affected device. An attacker could exploit this vulnerability by sending multiple crafted IPv6 packets to an affected device. A successful exploit could cause the network stack to run out of available buffers, impairing operations of control plane and management plane protocols and resulting in a DoS condition. Manual intervention would be required to restore normal operations on the affected device. For more information about the impact of this vulnerability, see the Details section of this advisory.
CVE-2019-1736 1 Cisco 22 Fmc1000-k9 Bios, Fmc1000-k9 Firmware, Fmc2500-k9 Bios and 19 more 2024-02-28 6.9 MEDIUM 6.6 MEDIUM
A vulnerability in the firmware of the Cisco UCS C-Series Rack Servers could allow an authenticated, physical attacker to bypass Unified Extensible Firmware Interface (UEFI) Secure Boot validation checks and load a compromised software image on an affected device. The vulnerability is due to improper validation of the server firmware upgrade images. An attacker could exploit this vulnerability by installing a server firmware version that would allow the attacker to disable UEFI Secure Boot. A successful exploit could allow the attacker to bypass the signature validation checks that are done by UEFI Secure Boot technology and load a compromised software image on the affected device. A compromised software image is any software image that has not been digitally signed by Cisco.
CVE-2021-1368 1 Cisco 101 Firepower 4110, Firepower 4112, Firepower 4115 and 98 more 2024-02-28 4.9 MEDIUM 8.8 HIGH
A vulnerability in the Unidirectional Link Detection (UDLD) feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code with administrative privileges or cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted Cisco UDLD protocol packets to a directly connected, affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the Cisco UDLD process to crash and restart multiple times, causing the affected device to reload and resulting in a DoS condition. Note: The UDLD feature is disabled by default, and the conditions to exploit this vulnerability are strict. The attacker needs full control of a directly connected device. That device must be connected over a port channel that has UDLD enabled. To trigger arbitrary code execution, both the UDLD-enabled port channel and specific system conditions must exist. In the absence of either the UDLD-enabled port channel or the system conditions, attempts to exploit this vulnerability will result in a DoS condition. It is possible, but highly unlikely, that an attacker could control the necessary conditions for exploitation. The CVSS score reflects this possibility. However, given the complexity of exploitation, Cisco has assigned a Medium Security Impact Rating (SIR) to this vulnerability.
CVE-2019-1864 1 Cisco 13 Encs 5100, Encs 5400, Integrated Management Controller Supervisor and 10 more 2024-02-28 9.0 HIGH 8.8 HIGH
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. The vulnerability is due to insufficient validation of command input by the affected software. An attacker could exploit this vulnerability by sending malicious commands to the web-based management interface of the affected software. A successful exploit could allow the attacker, with read-only privileges, to inject and execute arbitrary, system-level commands with root privileges on an affected device.
CVE-2019-1883 1 Cisco 13 Encs 5100, Encs 5400, Integrated Management Controller Supervisor and 10 more 2024-02-28 7.2 HIGH 7.8 HIGH
A vulnerability in the command-line interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow them to obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input on the command-line interface. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow an attacker to execute arbitrary commands on the device with root privileges.
CVE-2019-1885 1 Cisco 5 Integrated Management Controller Supervisor, Ucs C125 M5, Ucs C4200 and 2 more 2024-02-28 9.0 HIGH 7.2 HIGH
A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending crafted authenticated commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary commands on an affected device with root privileges.
CVE-2019-1865 1 Cisco 13 Encs 5100, Encs 5400, Integrated Management Controller Supervisor and 10 more 2024-02-28 9.0 HIGH 8.8 HIGH
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by invoking an interface monitoring mechanism with a crafted argument on the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device.
CVE-2019-1627 1 Cisco 2 Integrated Management Controller, Unified Computing System 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
A vulnerability in the Server Utilities of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to gain unauthorized access to sensitive user information from the configuration data that is stored on the affected system. The vulnerability is due to insufficient protection of data in the configuration file. An attacker could exploit this vulnerability by downloading the configuration file. An exploit could allow the attacker to use the sensitive information from the file to elevate privileges.
CVE-2019-1896 1 Cisco 13 Encs 5100, Encs 5400, Integrated Management Controller Supervisor and 10 more 2024-02-28 9.0 HIGH 7.2 HIGH
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands and obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input in the Certificate Signing Request (CSR) function of the web-based management interface. An attacker could exploit this vulnerability by submitting a crafted CSR in the web-based management interface. A successful exploit could allow an attacker with administrator privileges to execute arbitrary commands on the device with full root privileges.
CVE-2019-1900 1 Cisco 5 Integrated Management Controller Supervisor, Ucs C125 M5, Ucs C4200 and 2 more 2024-02-28 7.8 HIGH 7.5 HIGH
A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to cause the web server process to crash, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient validation of user-supplied input on the web interface. An attacker could exploit this vulnerability by submitting a crafted HTTP request to certain endpoints of the affected software. A successful exploit could allow an attacker to cause the web server to crash. Physical access to the device may be required for a restart.
CVE-2019-1863 1 Cisco 13 Encs 5100, Encs 5400, Integrated Management Controller Supervisor and 10 more 2024-02-28 9.0 HIGH 8.1 HIGH
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to make unauthorized changes to the system configuration. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow a user with read-only privileges to change critical system configurations using administrator privileges.
CVE-2019-1879 1 Cisco 2 Integrated Management Controller, Unified Computing System 2024-02-28 7.2 HIGH 6.7 MEDIUM
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploit this vulnerability by authenticating with the administrator password via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.
CVE-2019-1629 1 Cisco 2 Integrated Management Controller, Unified Computing System 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in the configuration import utility of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to have write access and upload arbitrary data to the filesystem. The vulnerability is due to a failure to delete temporarily uploaded files. An attacker could exploit this vulnerability by crafting a malicious file and uploading it to the affected device. An exploit could allow the attacker to fill up the filesystem or upload malicious scripts.
CVE-2019-1907 1 Cisco 5 Integrated Management Controller Supervisor, Ucs C125 M5, Ucs C4200 and 2 more 2024-02-28 6.5 MEDIUM 8.8 HIGH
A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to set sensitive configuration values and gain elevated privileges. The vulnerability is due to improper handling of substring comparison operations that are performed by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker with read-only privileges to gain administrator privileges.