CVE-2023-20237
4.3
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Exploitability: 2.8 / Impact: 1.4
Source: NVD
Description
A vulnerability in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access internal HTTP services that are otherwise inaccessible.
This vulnerability is due to insufficient restrictions on internally accessible http proxies. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker access to internal subnets beyond the sphere of their intended access level.
Affected (1)
Products: Cisco: Intersight Virtual Appliance
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.9-589 |
| Running on/with | Platform Versions |
|---|---|
Cisco Intersight Assist | All versions |
Cisco Intersight Connected Virtual Appliance | All versions |
Cisco Intersight Private Virtual Appliance | All versions |
Related CWEs
CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
References (2)
Source: psirt@cisco.com
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Timeline
No history available yet.