SB2023092818 - Authorization bypass in Cisco IOS and IOS XE software
Published: September 28, 2023
Security Bulletin ID
SB2023092818
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authorization (CVE-ID: CVE-2023-20186)
The vulnerability allows a local user to gain unauthorized access to the device.
The vulnerability exists due to improper authorization checks within the Authentication, Authorization, and Accounting (AAA) feature. A local user with level 15 privileges can bypass command authorization and copy files to or from the file system of an affected device using the Secure Copy Protocol (SCP).
Remediation
Install update from vendor's website.