Lucene search

[email protected]NVD:CVE-2023-20136

HistoryJun 28, 2023 - 3:15 p.m.

CVE-2023-20136

2023-06-2815:15:09

CWE-269

CWE-648

[email protected]

web.nvd.nist.gov

cisco

secure workload

vulnerability

unauthorized operations

openapi

rbac

attacker

user privileges

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

26.2%

JSON

A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials.

This vulnerability is due to improper role-based access control (RBAC) of certain OpenAPI operations. An attacker could exploit this vulnerability by issuing a crafted OpenAPI function call with valid credentials. A successful exploit could allow the attacker to execute OpenAPI operations that are reserved for the Administrator user, including the creation and deletion of user labels.

Affected configurations

Nvd

Node

ciscosecure_workloadRange<3.7.1.40

VendorProductVersionCPE
ciscosecure_workload*cpe:2.3:a:cisco:secure_workload:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	secure_workload	*	cpe:2.3:a:cisco:secure_workload::::::::

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-auth-openapi-kTndjdNX

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

26.2%

JSON

Related for NVD:CVE-2023-20136

cisco1 prion1 cvelist1 cve1