Connectrix: Cisco Data Center Network Manager: Arbitrary File Download Vulnerability

Security Article Type

Security KB

CVE Identifier

CVE-2019-1621 Arbitrary File Download Vulnerability in Data Center Network Manager (DCNM)

Issue Summary

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) may allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device.

The vulnerability is due to incorrect permission settings on affected DCNM software. An attacker pay potentially exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit may allow the attacker to download arbitrary files from the underlying file system of the affected device.

The vulnerability affects Cisco Data Center Network Manager (DCNM) software releases before Release 11.2(1).

Details

An attacker may use a specific web servlet that is available on affected DCNM devices to download arbitrary files from the underlying file system.

In DCNM Software Release 11.0(1) and earlier, an attacker must be authenticated to the DCNM web-based management interface to exploit this vulnerability.

In DCNM Software Release 11.1(1), unauthenticated access to the affected web servlet is available, making it possible for an unauthenticated attacker to exploit this vulnerability.

Recommendations

Legal Disclaimer

Affected Products