CVE-2024-20478 MEDIUM

CVE-2024-20478: Cisco Application Policy Infrastructure Controller App Privilege Escalation Vulnerability

Vendor Cisco
Product Cisco Application Policy Infrastructure Controller (APIC)
Weakness CWE-250
Published August 28, 2024
Last update September 6, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A vulnerability in the software upgrade component of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Network Controller, formerly Cisco Cloud APIC, could allow an authenticated, remote attacker with Administrator-level privileges to install a modified software image, leading to arbitrary code injection on an affected system. This vulnerability is due to insufficient signature validation of software images. An attacker could exploit this vulnerability by installing a modified software image. A successful exploit could allow the attacker to execute arbitrary code on the affected system and elevate their privileges to root. Note: Administrators should always validate the hash of any upgrade image before uploading it to Cisco APIC and Cisco Cloud Network Controller.

Key dates

02Disclosure timeline

August 28, 2024 CVE published
September 6, 2024 Record updated