Improper Authorization in Cisco IOS and Cisco IOS XE - CVE-2023-20186

 

Improper Authorization in Cisco IOS and Cisco IOS XE - CVE-2023-20186

Published: September 28, 2023


Vulnerability identifier: #VU81248
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-20186
CWE-ID: CWE-285
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS
Cisco IOS XE

Detailed vulnerability description

The vulnerability allows a local user to gain unauthorized access to the device.

The vulnerability exists due to improper authorization checks within the Authentication, Authorization, and Accounting (AAA) feature. A local user with level 15 privileges can bypass command authorization and copy files to or from the file system of an affected device using the Secure Copy Protocol (SCP).


How to mitigate CVE-2023-20186

Install updates from vendor's website.

Sources