CVE-2024-20510Incorrect Authorization in Cisco IOS XE Software

CWE-863Incorrect Authorization4 documents4 sources
Severity
9.3CRITICALNVD
CNA4.7
EPSS
0.0%
top 89.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedSep 25

Description

A vulnerability in the Central Web Authentication (CWA) feature of Cisco IOS XE Software for Wireless Controllers could allow an unauthenticated, adjacent attacker to bypass the pre-authentication access control list (ACL), which could allow access to network resources before user authentication. This vulnerability is due to a logic error when activating the pre-authentication ACL that is received from the authentication, authorization, and accounting (AAA) server. An attacker could exploit this

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.8

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_software197 versions+196
NVDcisco/ios_xe197 versions+196

🔴Vulnerability Details

2
GHSA
GHSA-pp73-8587-cg75: A vulnerability in the Central Web Authentication (CWA) feature of Cisco IOS XE Software for Wireless Controllers could allow an unauthenticated, adja2024-09-25
CVEList
CVE-2024-20510: A vulnerability in the Central Web Authentication (CWA) feature of Cisco IOS XE Software for Wireless Controllers could allow an unauthenticated, adja2024-09-25

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software for Wireless Controllers CWA Pre-Authentication ACL Bypass Vulnerability2024-09-25
CVE-2024-20510 — Incorrect Authorization in Cisco | cvebase