Description
A vulnerability in the key-based SSH authentication feature of Cisco StarOS Software could allow an authenticated, remote attacker to elevate privileges on an affected device.

This vulnerability is due to insufficient validation of user-supplied credentials. An attacker could exploit this vulnerability by sending a valid low-privileged SSH key to an affected device from a host that has an IP address that is configured as the source for a high-privileged user account. A successful exploit could allow the attacker to log in to the affected device through SSH as a high-privileged user.

There are workarounds that address this vulnerability.
Published: 2023-05-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2023-24225 A vulnerability in the key-based SSH authentication feature of Cisco StarOS Software could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied credentials. An attacker could exploit this vulnerability by sending a valid low-privileged SSH key to an affected device from a host that has an IP address that is configured as the source for a high-privileged user account. A successful exploit could allow the attacker to log in to the affected device through SSH as a high-privileged user. There are workarounds that address this vulnerability.
History

No history.

Subscriptions

Cisco Asr 5000 Asr 5500 Asr 5700 Staros Vpc-di Vpc-si
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2024-08-02T08:57:35.853Z

Reserved: 2022-10-27T18:47:50.317Z

Link: CVE-2023-20046

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-05-09T18:15:11.697

Modified: 2024-11-21T07:40:25.733

Link: CVE-2023-20046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses