// For flags

CVE-2023-20254

 

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A vulnerability in the session management system of the Cisco Catalyst SD-WAN Manager multi-tenant feature could allow an authenticated, remote attacker to access another tenant that is being managed by the same Cisco Catalyst SD-WAN Manager instance. This vulnerability requires the multi-tenant feature to be enabled.
This vulnerability is due to insufficient user session management within the Cisco Catalyst SD-WAN Manager system. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to gain unauthorized access to information about another tenant, make configuration changes, or possibly take a tenant offline causing a denial of service condition.

Una vulnerabilidad en el sistema de gestión de sesiones de la función multiinquilino de Cisco Catalyst SD-WAN Manager podría permitir que un atacante remoto autenticado acceda a otro tenant que está siendo administrado por la misma instancia de Cisco Catalyst SD-WAN Manager. Esta vulnerabilidad requiere que esté habilitada la función multi-tenant. Esta vulnerabilidad se debe a una gestión insuficiente de la sesión de usuario dentro del sistema Cisco Catalyst SD-WAN Manager. Un atacante podría aprovechar esta vulnerabilidad enviando una solicitud manipulada a un sistema afectado. Un exploit exitoso podría permitir al atacante obtener acceso no autorizado a información sobre otro tenant, realizar cambios en la configuración o posiblemente desconectar a un tenant, provocando una condición de denegación de servicio.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2022-10-27 CVE Reserved
  • 2023-09-27 CVE Published
  • 2024-10-03 EPSS Updated
  • 2024-10-23 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Sd-wan Manager
Search vendor "Cisco" for product "Sd-wan Manager"
 < 20.6.3.4
Search vendor "Cisco" for product "Sd-wan Manager" and version " < 20.6.3.4"
-
Affected
Cisco
Search vendor "Cisco"
 Sd-wan Manager
Search vendor "Cisco" for product "Sd-wan Manager"
 >= 20.7 < 20.9.3.2
Search vendor "Cisco" for product "Sd-wan Manager" and version " >= 20.7 < 20.9.3.2"
-
Affected
Cisco
Search vendor "Cisco"
 Sd-wan Manager
Search vendor "Cisco" for product "Sd-wan Manager"
 >= 20.10 < 20.10.1.2
Search vendor "Cisco" for product "Sd-wan Manager" and version " >= 20.10 < 20.10.1.2"
-
Affected
Cisco
Search vendor "Cisco"
 Sd-wan Manager
Search vendor "Cisco" for product "Sd-wan Manager"
 >= 20.11 < 20.11.1.2
Search vendor "Cisco" for product "Sd-wan Manager" and version " >= 20.11 < 20.11.1.2"
-
Affected