CVE-2020-3329

Name of the Vulnerable Software and Affected Versions Cisco Integrated Management Controller (IMC) Supervisor versions (affected versions not specified) Cisco UCS Director versions (affected versions not specified) Cisco UCS Director Express for Big Data versions (affected versions not specified)

Description A vulnerability in role-based access control could allow a read-only authenticated, remote attacker to disable user accounts on an affected system. The issue is due to incorrect allocation of the enable/disable action button under the role-based access control code. An attacker could exploit this by authenticating as a read-only user and then updating the roles of other users to disable them, potentially including administrative users.

Recommendations For Cisco Integrated Management Controller (IMC) Supervisor, update the role-based access control configuration to correctly allocate the enable/disable action button. For Cisco UCS Director, restrict access to user role updates for read-only users until a fix is applied. For Cisco UCS Director Express for Big Data, consider disabling the role update feature for read-only users as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.