CVE-2023-20098

2023-05-0918:15:11

CWE-24

CWE-22

[email protected]

web.nvd.nist.gov

cve-2023-20098

cisco sdwan vmanage

directory traversal

administrative privileges

system commands

arbitrary files

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

AI Score

5.1

Confidence

High

EPSS

Percentile

9.9%

JSON

A vulnerability in the CLI of Cisco SDWAN vManage Software could allow an authenticated, local attacker to delete arbitrary files.

This vulnerability is due to improper filtering of directory traversal character sequences within system commands. An attacker with administrative privileges could exploit this vulnerability by running a system command containing directory traversal character sequences to target an arbitrary file. A successful exploit could allow the attacker to delete arbitrary files from the system, including files owned by root.

Affected configurations

Nvd

Node

ciscocatalyst_sd-wan_managerMatch20.11

ciscosd-wan_vmanageRange<20.9.1

VendorProductVersionCPE
ciscocatalyst_sd-wan_manager20.11cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.11:*:*:*:*:*:*:*
ciscosd-wan_vmanage*cpe:2.3:a:cisco:sd-wan_vmanage:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	catalyst_sd-wan_manager	20.11	cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.11:::::::*
cisco	sd-wan_vmanage	*	cpe:2.3:a:cisco:sd-wan_vmanage::::::::