CVE-2023-20207 - Vulnerability Details

Description

A vulnerability in the logging component of Cisco Duo Authentication Proxy could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system.

This vulnerability exists because certain unencrypted credentials are stored. An attacker could exploit this vulnerability by accessing the logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to view sensitive information in clear text.

Published: 2023-07-12

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Duo Authentication Proxy

affected

Version	Status	Constraints
`2.10.0`	affected	—
`2.10.1`	affected	—
`2.11.0`	affected	—
`2.12.0`	affected	—
`2.12.1`	affected	—
`2.13.0`	affected	—
`2.14.0`	affected	—
`2.4.10`	affected	—
`2.4.11`	affected	—
`2.4.12`	affected	—
`2.4.13`	affected	—
`2.4.14`	affected	—
`2.4.14.1`	affected	—
`2.4.15`	affected	—
`2.4.16`	affected	—
`2.4.17`	affected	—
`2.4.18`	affected	—
`2.4.19`	affected	—
`2.4.2`	affected	—
`2.4.20`	affected	—
`2.4.21`	affected	—
`2.4.3`	affected	—
`2.4.4`	affected	—
`2.4.5`	affected	—
`2.4.6`	affected	—
`2.4.7`	affected	—
`2.4.8`	affected	—
`2.4.9`	affected	—
`2.5.4`	affected	—
`2.6.0`	affected	—
`2.7.0`	affected	—
`2.8.1`	affected	—
`2.9.0`	affected	—
`3.0.0`	affected	—
`3.1.0`	affected	—
`3.1.1`	affected	—
`3.2.0`	affected	—
`3.2.1`	affected	—
`3.2.2`	affected	—
`3.2.3`	affected	—
`3.2.4`	affected	—
`4.0.0`	affected	—
`4.0.1`	affected	—
`4.0.2`	affected	—
`5.0.0`	affected	—
`5.0.1`	affected	—
`5.0.2`	affected	—
`5.1.0`	affected	—
`5.1.1`	affected	—
`5.2.0`	affected	—
`5.2.1`	affected	—
`5.2.2`	affected	—
`5.3.0`	affected	—
`5.3.1`	affected	—
`5.4.0`	affected	—
`5.4.1`	affected	—
`5.5.0`	affected	—
`5.5.1`	affected	—
`5.6.0`	affected	—
`5.6.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:duo:authentication_proxy:5.8.1:::::::*
	cpe:2.3:a:duo:authentication_proxy:6.0.0:::::::*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-24386	A vulnerability in the logging component of Cisco Duo Authentication Proxy could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. This vulnerability exists because certain unencrypted credentials are stored. An attacker could exploit this vulnerability by accessing the logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to view sensitive information in clear text.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-auth-info-JgkSWBLz

History

No history.

Subscriptions

Duo Authentication Proxy

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2023-07-12T13:51:48.952Z

Updated: 2024-08-02T09:05:36.181Z

Reserved: 2022-10-27T18:47:50.367Z

Link: CVE-2023-20207

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-07-12T14:15:09.793

Modified: 2024-11-21T07:40:50.560

Link: CVE-2023-20207

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object