CVE-2020-8349
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD
Description
An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL.
Affected (1)
Products: Lenovo: Cloud Networking Operating System
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 10.10.6.0 |
| Running on/with | Platform Versions |
|---|---|
Lenovo Rackswitch G8272 | All versions |
Lenovo Rackswitch G8296 | All versions |
Lenovo Rackswitch G8332 | All versions |
Lenovo Rackswitch Ne0152t | All versions |
Lenovo Rackswitch Ne10032 | All versions |
Lenovo Rackswitch Ne1032 | All versions |
Lenovo Rackswitch Ne1032t | All versions |
Lenovo Rackswitch Ne1072t | All versions |
Lenovo Rackswitch Ne2572 | All versions |
Related CWEs
CWE-20
Improper Input Validation
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
References (2)
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.