CVE-2020-3467

EPSS 0.13%
Published 08.10.2020 05:15:14
Last modified 21.11.2024 05:31:07
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. The vulnerability is due to improper enforcement of role-based access control (RBAC) within the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to modify parts of the configuration. The modified configuration could either allow unauthorized devices onto the network or prevent authorized devices from accessing the network. To exploit this vulnerability, an attacker would need valid Read-Only Administrator credentials.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Identity Services Engine Version <= 2.4

Cisco ≫ Identity Services Engine Version2.4(0.357)

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch1

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch10

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch11

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch12

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch2

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch3

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch4

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch5

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch6

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch7

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch8

Cisco ≫ Identity Services Engine Version2.4.0.357 Updatepatch9

Cisco ≫ Identity Services Engine Version2.5

Cisco ≫ Identity Services Engine Version2.6(0.156)

Cisco ≫ Identity Services Engine Version2.6.0 Update-

Cisco ≫ Identity Services Engine Version2.6.0.156 Updatepatch1

Cisco ≫ Identity Services Engine Version2.6.0.156 Updatepatch2

Cisco ≫ Identity Services Engine Version2.6.0.156 Updatepatch3

Cisco ≫ Identity Services Engine Version2.6.0.156 Updatepatch5

Cisco ≫ Identity Services Engine Version2.6.0.156 Updatepatch6

Cisco ≫ Identity Services Engine Version2.7

Cisco ≫ Identity Services Engine Version2.7(0.356)

Cisco ≫ Identity Services Engine Version2.7.0.356 Updatepatch1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.293

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:N/I:P/A:P
psirt@cisco.com	7.7	3.1	4	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-uJWqLTZM

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-3467

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-3467

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-3467

EUVD