CVE-2024-20449
Published: 02 October 2024
Summary
CVE-2024-20449 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Cisco Nexus Dashboard Fabric Controller. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) stems from improper path validation that permits path traversal. The flaw is tracked under CVE-2024-20449 with associated CWEs 22 and 23, carries a CVSS 3.1 score of 8.8, and affects the fabric-controller component.
An authenticated remote attacker with low privileges can exploit the issue by uploading malicious code via the Secure Copy Protocol (SCP) and traversing directories to place the payload in a location that results in arbitrary code execution inside a container running with root privileges.
The vendor has published an advisory at the referenced Cisco Security Advisory URL that addresses the path-validation weakness. The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.0987, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18164
Vulnerability details
A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with low privileges to execute arbitrary code on an affected device. This vulnerability is due to improper path validation. An attacker could exploit this vulnerability…
more
by using the Secure Copy Protocol (SCP) to upload malicious code to an affected device using path traversal techniques. A successful exploit could allow the attacker to execute arbitrary code in a specific container with the privileges of root.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.