CVE-2019-15998Improper Access Control in Cisco IOS XR Software

CWE-284Improper Access ControlCWE-862Missing Authorization4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 41.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XR SoftwareCisco IOS XR
Timeline
PublishedNov 26
Latest updateMay 24

Description

A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access control list (ACL) that is configured to deny access to the NETCONF over SSH of an affected device. The vulnerability is due to a missing check in the NETCONF over SSH access control list (ACL). An attacker could exploit this vulnerability by connecting to an affected device using NETCONF over SSH. A successful exploit could allow the attacker to con

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xr_softwareunspecifiedn/a
NVDcisco/ios_xr6.5.1, 6.5.2, 6.5.3+2

🔴Vulnerability Details

2
GHSA
GHSA-w36j-549f-hchr: A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access co2022-05-24
CVEList
Cisco IOS XR Software NETCONF Over Secure Shell ACL Bypass Vulnerability2019-11-26

📋Vendor Advisories

1
Cisco
Cisco IOS XR Software NETCONF Over Secure Shell ACL Bypass Vulnerability2019-11-20
CVE-2019-15998 — Improper Access Control in Cisco | cvebase