CVE-2023-20190Incorrect Authorization in Cisco IOS XR

CWE-264CWE-863Incorrect Authorization4 documents4 sources
Severity
5.3MEDIUMNVD
CNA5.8
EPSS
0.0%
top 85.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XRCisco IOS XR Software
Timeline
PublishedSep 13

Description

A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device. This vulnerability is due to incorrect destination address range encoding in the compression module of an ACL that is applied to an interface of an affected device. An attacker could exploit this vulnerability by sending traffic through the affected device that shou

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xr_software81 versions+80
NVDcisco/ios_xr7.57.5.4+3

🔴Vulnerability Details

2
GHSA
GHSA-j3jp-5cvm-4wvf: A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker2023-09-13
CVEList
CVE-2023-20190: A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker2023-09-13

📋Vendor Advisories

1
Cisco
Cisco IOS XR Software Compression ACL Bypass Vulnerability2023-09-13
CVE-2023-20190 — Incorrect Authorization in Cisco | cvebase