Skip to content

A vulnerability in the Authentication, Authorization, and...

Critical severity Unreviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Feb 3, 2024

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

A vulnerability in the Authentication, Authorization, and Accounting (AAA) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to bypass command authorization and copy files to or from the file system of an affected device using the Secure Copy Protocol (SCP).

This vulnerability is due to incorrect processing of SCP commands in AAA command authorization checks. An attacker with valid credentials and level 15 privileges could exploit this vulnerability by using SCP to connect to an affected device from an external machine. A successful exploit could allow the attacker to obtain or change the configuration of the affected device and put files on or retrieve files from the affected device.

References

Published by the National Vulnerability Database Sep 27, 2023
Published to the GitHub Advisory Database Sep 27, 2023
Last updated Feb 3, 2024

Severity

Critical

EPSS score

0.120%
(48th percentile)

Weaknesses

CVE ID

CVE-2023-20186

GHSA ID

GHSA-2hj4-ccw5-92h5

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.