CVE-2023-20064 — Missing Authorization in Cisco IOS XR

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.6MEDIUMNVD

EPSS

0.2%

top 55.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XR Cisco IOS XR Software

Timeline

PublishedMar 9

Latest updateMar 10

Description

A vulnerability in the GRand Unified Bootloader (GRUB) for Cisco IOS XR Software could allow an unauthenticated attacker with physical access to the device to view sensitive files on the console using the GRUB bootloader command line. This vulnerability is due to the inclusion of unnecessary commands within the GRUB environment that allow sensitive files to be viewed. An attacker could exploit this vulnerability by being connected to the console port of the Cisco IOS XR device when the device is…

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5cisco/cisco_ios_xr_softwaren/a

▶NVDcisco/ios_xr< 7.9.1+2

🔴Vulnerability Details

GHSA

GHSA-8vc7-mgh3-xppf: A vulnerability in the GRand Unified Bootloader (GRUB) for Cisco IOS XR Software could allow an unauthenticated attacker with physical access to the d↗2023-03-10

▶

CVEList

Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability↗2023-03-09

▶

📋Vendor Advisories

Cisco

Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability↗2023-03-08

▶