6.5

CVE-2023-20016

A vulnerability in the backup configuration feature of Cisco UCS Manager Software and in the configuration export feature of Cisco FXOS Software could allow an unauthenticated attacker with access to a backup file to decrypt sensitive information stored in the full state and configuration backup files. This vulnerability is due to a weakness in the encryption method used for the backup function. An attacker could exploit this vulnerability by leveraging a static key used for the backup configuration feature. A successful exploit could allow the attacker to decrypt sensitive information that is stored in full state and configuration backup files, such as local user credentials, authentication server passwords, Simple Network Management Protocol (SNMP) community names, and other credentials.

Data is provided by the National Vulnerability Database (NVD)
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6536 Version-
CiscoUcs 6536 Firmware Version-
   CiscoUcs 6536 Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 64108 Version-
CiscoUcs 64108 Firmware Version-
   CiscoUcs 64108 Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6454 Version-
CiscoUcs 6454 Firmware Version-
   CiscoUcs 6454 Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6200 Version-
CiscoUcs 6200 Firmware Version-
   CiscoUcs 6200 Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6248up Version-
CiscoUcs 6248up Firmware Version-
   CiscoUcs 6248up Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6296up Version-
CiscoUcs 6296up Firmware Version-
   CiscoUcs 6296up Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6300 Version-
CiscoUcs 6300 Firmware Version-
   CiscoUcs 6300 Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6324 Version-
CiscoUcs 6324 Firmware Version-
   CiscoUcs 6324 Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6332 Version-
CiscoUcs 6332 Firmware Version-
   CiscoUcs 6332 Version-
CiscoUcs Central Software Version < 4.2\(3c\)
   CiscoUcs 6332-16up Version-
CiscoUcs 6332-16up Firmware Version-
   CiscoUcs 6332-16up Version-
CiscoFxos Version < 2.6.1
   CiscoFirepower 4100 Version-
   CiscoFirepower 4110 Version-
   CiscoFirepower 4112 Version-
   CiscoFirepower 4115 Version-
   CiscoFirepower 4120 Version-
   CiscoFirepower 4125 Version-
   CiscoFirepower 4140 Version-
   CiscoFirepower 4145 Version-
   CiscoFirepower 4150 Version-
   CiscoFirepower 9300 Sm-24 Version-
   CiscoFirepower 9300 Sm-36 Version-
   CiscoFirepower 9300 Sm-40 Version-
   CiscoFirepower 9300 Sm-44 Version-
   CiscoFirepower 9300 Sm-44 X 3 Version-
   CiscoFirepower 9300 Sm-48 Version-
   CiscoFirepower 9300 Sm-56 Version-
   CiscoFirepower 9300 Sm-56 X 3 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.06% 0.139
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.5 2 4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
psirt@cisco.com 6.3 1.8 4
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.