CVE-2023-20065Improper Access Control in Cisco IOS XE Software

CWE-284Improper Access Control3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 60.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 23

Description

A vulnerability in the Cisco IOx application hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to insufficient restrictions on the hosted application. An attacker could exploit this vulnerability by logging in to and then escaping the Cisco IOx application container. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_software50 versions+49
NVDcisco/ios_xe17.11.1, 17.6.3+1

🔴Vulnerability Details

1
CVEList
CVE-2023-20065: A vulnerability in the Cisco IOx application hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privil2023-03-23

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability2023-03-22
CVE-2023-20065 — Improper Access Control in Cisco | cvebase