CVE-2020-3239

Name of the Vulnerable Software and Affected Versions Cisco Integrated Management Controller (IMC) Supervisor versions (affected versions not specified) Cisco UCS Director versions (affected versions not specified) Cisco UCS Director Express for Big Data versions (affected versions not specified)

Description The issue is related to errors in privilege management in the web interface of the Cisco Integrated Management Controller (IMC) Supervisor, which manages physical infrastructure and virtual environments, as well as in Cisco UCS Director and Cisco UCS Director Express for Big Data. Exploitation of the issue may allow a remote attacker to impact the integrity of protected information. Additionally, multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device.

Recommendations For Cisco Integrated Management Controller (IMC) Supervisor, consider restricting access to the web interface until a fix is available. For Cisco UCS Director, update the REST API to prevent authentication bypass and directory traversal attacks. For Cisco UCS Director Express for Big Data, restrict access to the REST API until a patch is available. As a temporary workaround, consider disabling the unzip function in the StorageUtil module to prevent directory traversal and remote code execution attacks.