CVE-2023-20029Heap-based Buffer Overflow in Cisco IOS XE Software

CWE-122Heap-based Buffer Overflow4 documents4 sources
Severity
7.8HIGHNVD
CNA4.4
EPSS
0.2%
top 64.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 23

Description

A vulnerability in the Meraki onboarding feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root level privileges on an affected device. This vulnerability is due to insufficient memory protection in the Meraki onboarding feature of an affected device. An attacker could exploit this vulnerability by modifying the Meraki registration parameters. A successful exploit could allow the attacker to elevate privileges to root.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe17.7.1, 17.8.1+1

🔴Vulnerability Details

2
CVEList
Cisco IOS XE Software Privilege Escalation Vulnerability2023-03-23
GHSA
GHSA-m3m3-7pr3-vcp3: A vulnerability in the Meraki onboarding feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root level privileges o2023-03-23

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Privilege Escalation Vulnerability2023-03-22
CVE-2023-20029 — Heap-based Buffer Overflow in Cisco | cvebase