CVE-2020-3227Incorrect Authorization in Cisco IOS XE Software 16.3.1

CWE-264CWE-863Incorrect Authorization4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
6.4%
top 8.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE Software 16.3.1Cisco IOS XE
Timeline
PublishedJun 3
Latest updateMay 24

Description

A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe70 versions+69

🔴Vulnerability Details

2
GHSA
GHSA-qmfx-jqw3-rhhv: A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthentic2022-05-24
CVEList
Cisco IOx for IOS XE Software Privilege Escalation Vulnerability2020-06-03

📋Vendor Advisories

1
Cisco
Cisco IOx for IOS XE Software Privilege Escalation Vulnerability2020-06-03
CVE-2020-3227 — Incorrect Authorization in Cisco | cvebase