- Description
- A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to read, modify, or delete non-tenant policies (for example, access policies) created by users associated with a different security domain on an affected system. This vulnerability is due to improper access control when restricted security domains are used to implement multi-tenancy for policies outside the tenant boundaries. An attacker with a valid user account associated with a restricted security domain could exploit this vulnerability. A successful exploit could allow the attacker to read, modify, or delete policies created by users associated with a different security domain. Exploitation is not possible for policies under tenants that an attacker has no authorization to access.
- Source
- ykramarz@cisco.com
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 5.4
- Impact score
- 2.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E8DF423B-F7E4-4B50-A430-B458CE03DBAE",
"versionEndExcluding": "5.2\\(8d\\)",
"versionStartIncluding": "5.2"
},
{
"criteria": "cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DBAD823C-A857-4155-82EF-7514CD20AEA0",
"versionEndExcluding": "6.0\\(3d\\)",
"versionStartIncluding": "6.0"
}
],
"operator": "OR"
}
]
}
]