Lucene search

K
cve[email protected]CVE-2020-3222
HistoryJun 03, 2020 - 6:15 p.m.

CVE-2020-3222

2020-06-0318:15:20
CWE-17
web.nvd.nist.gov
26
cve-2020-3222
web-based user interface
cisco ios xe software
unauthenticated
access control
bypass
network security
vulnerability

4.3 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

4.7 Medium

AI Score

Confidence

High

3.3 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

25.0%

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass access control restrictions on an affected device. The vulnerability is due to the presence of a proxy service at a specific endpoint of the web UI. An attacker could exploit this vulnerability by connecting to the proxy service. An exploit could allow the attacker to bypass access restrictions on the network by proxying their access request through the management network of the affected device. As the proxy is reached over the management virtual routing and forwarding (VRF), this could reduce the effectiveness of the bypass.

Affected configurations

NVD
Node
ciscoios_xeMatch16.10.1
OR
ciscoios_xeMatch16.10.1a
OR
ciscoios_xeMatch16.10.1b
OR
ciscoios_xeMatch16.10.1c
OR
ciscoios_xeMatch16.10.1d
OR
ciscoios_xeMatch16.10.1e
OR
ciscoios_xeMatch16.10.1f
OR
ciscoios_xeMatch16.10.1g
OR
ciscoios_xeMatch16.10.1s
OR
ciscoios_xeMatch16.10.2
OR
ciscoios_xeMatch16.11.1
OR
ciscoios_xeMatch16.11.1a
OR
ciscoios_xeMatch16.11.1b
OR
ciscoios_xeMatch16.11.1c
OR
ciscoios_xeMatch16.11.1s
OR
ciscoios_xeMatch16.12.1
OR
ciscoios_xeMatch16.12.1a
OR
ciscoios_xeMatch16.12.1c
OR
ciscoios_xeMatch16.12.1s
OR
ciscoios_xeMatch16.12.1t
OR
ciscoios_xeMatch16.12.1w
OR
ciscoios_xeMatch16.12.1y

CNA Affected

[
  {
    "product": "Cisco IOS XE Software 16.10.1",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

4.3 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

4.7 Medium

AI Score

Confidence

High

3.3 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

25.0%

Related for CVE-2020-3222