CVE-2024-20316Detection of Error Condition Without Action in Cisco IOS XE Software

CWE-390Detection of Error Condition Without Action4 documents4 sources
Severity
5.3MEDIUMNVD
CNA5.8
EPSS
0.3%
top 50.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 27

Description

A vulnerability in the data model interface (DMI) services of Cisco IOS XE Software could allow an unauthenticated, remote attacker to access resources that should have been protected by a configured IPv4 access control list (ACL). This vulnerability is due to improper handling of error conditions when a successfully authorized device administrator updates an IPv4 ACL using the NETCONF or RESTCONF protocol, and the update would reorder access control entries (ACEs) in the updated ACL. An attacke

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_software160 versions+159
NVDcisco/ios_xe160 versions+159

🔴Vulnerability Details

2
GHSA
GHSA-6rx6-h35g-58g2: A vulnerability in the data model interface (DMI) services of Cisco IOS XE Software could allow an unauthenticated, remote attacker to access resource2024-03-27
CVEList
CVE-2024-20316: A vulnerability in the data model interface (DMI) services of Cisco IOS XE Software could allow an unauthenticated, remote attacker to access resource2024-03-27

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software NETCONF/RESTCONF IPv4 Access Control List Bypass Vulnerability2024-03-27
CVE-2024-20316 — Cisco IOS XE Software vulnerability | cvebase