Path traversal in Cisco Duo Device Health Application for Windows
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-20229 |
| CWE-ID | CWE-22 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Cisco Duo Device Health Application for Windows Other software / Other software solutions |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Path traversal
EUVDB-ID: #VU79964
Risk: Low
CVSSv4.0: 4.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-20229
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the CryptoService function. A local user can send a specially crafted HTTP request and overwrite arbitrary files on the system, leading to denial of service (DoS) condition.
MitigationInstall update from vendor's website.
Vulnerable software versionsCisco Duo Device Health Application for Windows: 5.0.0 - 5.1.0
CPE2.3- cpe:2.3:a:cisco_systems:cisco_duo_device_health_application_for_windows:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_duo_device_health_application_for_windows:5.1.0:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
