CVE-2017-3801

Name of the Vulnerable Software and Affected Versions Cisco UCS Director versions 6.0.0.0 through 6.0.0.1

Description A privilege escalation issue exists due to improper role-based access control (RBAC) after the Developer Menu is enabled. An authenticated, local attacker with an end-user profile could enable Developer Mode, add new catalogs with arbitrary workflow items, and perform actions defined by these items, including those affecting other tenants.

Recommendations For Cisco UCS Director versions 6.0.0.0 and 6.0.0.1, consider disabling the Developer Menu to prevent exploitation until a patch is available. Restrict access to the Developer Mode feature to minimize the risk of privilege escalation. Avoid enabling Developer Mode for end-user profiles to prevent attackers from adding arbitrary workflow items.