Main Vulnerability Database Vulnerabilities #VU81248

#VU81248 Improper Authorization in Cisco IOS and Cisco IOS XE - CVE-2023-20186

Published: September 28, 2023

Vulnerability identifier: #VU81248

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-20186

CWE-ID: CWE-285

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Cisco IOS
Cisco IOS XE

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a local user to gain unauthorized access to the device.

The vulnerability exists due to improper authorization checks within the Authentication, Authorization, and Accounting (AAA) feature. A local user with level 15 privileges can bypass command authorization and copy files to or from the file system of an affected device using the Secure Copy Protocol (SCP).

Remediation

Install updates from vendor's website.

External links

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaascp-Tyj4fEJm
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe55871

#VU81248 Improper Authorization in Cisco IOS and Cisco IOS XE - CVE-2023-20186

Description

Remediation

External links

Please verify you're human