CVE-2023-20194

EPSS 0.06%
Published 07.09.2023 20:15:07
Last modified 21.11.2024 07:40:48
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the ERS API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. To exploit this vulnerability, an attacker must have valid Administrator-level privileges on the affected device. This vulnerability is due to improper privilege management in the ERS API. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to elevate their privileges beyond the sphere of their intended access level, which would allow them to obtain sensitive information from the underlying operating system. Note: The ERS is not enabled by default. To verify the status of the ERS API in the Admin GUI, choose Administration > Settings > API Settings > API Service Settings.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Identity Services Engine Version <= 2.7

Cisco ≫ Identity Services Engine Version3.0.0 Update-

Cisco ≫ Identity Services Engine Version3.0.0 Updatepatch1

Cisco ≫ Identity Services Engine Version3.0.0 Updatepatch2

Cisco ≫ Identity Services Engine Version3.0.0 Updatepatch3

Cisco ≫ Identity Services Engine Version3.0.0 Updatepatch4

Cisco ≫ Identity Services Engine Version3.0.0 Updatepatch5

Cisco ≫ Identity Services Engine Version3.0.0 Updatepatch6

Cisco ≫ Identity Services Engine Version3.0.0 Updatepatch7

Cisco ≫ Identity Services Engine Version3.1 Update-

Cisco ≫ Identity Services Engine Version3.1 Updatepatch1

Cisco ≫ Identity Services Engine Version3.1 Updatepatch3

Cisco ≫ Identity Services Engine Version3.1 Updatepatch4

Cisco ≫ Identity Services Engine Version3.1 Updatepatch5

Cisco ≫ Identity Services Engine Version3.1 Updatepatch6

Cisco ≫ Identity Services Engine Version3.1 Updatepatch7

Cisco ≫ Identity Services Engine Version3.2 Update-

Cisco ≫ Identity Services Engine Version3.2 Updatepatch1

Cisco ≫ Identity Services Engine Version3.2 Updatepatch2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.06%	0.161

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
psirt@cisco.com	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE-268 Privilege Chaining

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-priv-esc-KJLp2Aw

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-20194

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-20194

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-20194

EUVD