CVE-2023-20115Lack of Administrator Control over Security in Cisco Nx-os Software

CWE-671Lack of Administrator Control over Security4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 45.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Nx-os SoftwareCisco Nx-os
Timeline
PublishedAug 23

Description

A vulnerability in the SFTP server implementation for Cisco Nexus 3000 Series Switches and 9000 Series Switches in standalone NX-OS mode could allow an authenticated, remote attacker to download or overwrite files from the underlying operating system of an affected device. This vulnerability is due to a logic error when verifying the user role when an SFTP connection is opened to an affected device. An attacker could exploit this vulnerability by connecting and authenticating via SFTP as a valid

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

NVDcisco/nx-os30 versions+29
CVEListV5cisco/cisco_nx-os_software30 versions+29

🔴Vulnerability Details

2
CVEList
CVE-2023-20115: A vulnerability in the SFTP server implementation for Cisco Nexus 3000 Series Switches and 9000 Series Switches in standalone NX-OS mode could allow a2023-08-23
GHSA
GHSA-x4px-54q2-j29c: A vulnerability in the SFTP server implementation for Cisco Nexus 3000 Series Switches and 9000 Series Switches in standalone NX-OS mode could allow a2023-08-23

📋Vendor Advisories

1
Cisco
Cisco Nexus 3000 and 9000 Series Switches SFTP Server File Access Vulnerability2023-08-23
CVE-2023-20115 — Cisco Nx-os Software vulnerability | cvebase