CVE-2023-20223 - OpenCVE

A vulnerability in Cisco DNA Center could allow an unauthenticated, remote attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control enforcement on API requests. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cisco	Dna Center

Configuration 1 [-]

cpe:2.3:a:cisco:dna_center:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-ins-acc-con-nHAVDRBZ

History

No history.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2023-09-27T17:20:48.912Z

Updated: 2024-08-02T09:05:36.882Z

Reserved: 2022-10-27T18:47:50.368Z

Link: CVE-2023-20223

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-09-27T18:15:11.240

Modified: 2024-01-25T17:15:38.477

Link: CVE-2023-20223

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-20223", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2022-10-27T18:47:50.368Z", "datePublished": "2023-09-27T17:20:48.912Z", "dateUpdated": "2024-08-02T09:05:36.882Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2024-01-25T16:58:24.369Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco DNA Center could allow an unauthenticated, remote attacker to read and modify data in a repository that belongs to an internal service on an affected device.\r\n\r This vulnerability is due to insufficient access control enforcement on API requests. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device."}], "affected": [{"vendor": "Cisco", "product": "Cisco Digital Network Architecture Center (DNA Center)", "versions": [{"version": "2.2.1.3", "status": "affected"}, {"version": "2.2.3.4", "status": "affected"}, {"version": "2.2.3.3", "status": "affected"}, {"version": "2.2.3.5", "status": "affected"}, {"version": "2.2.3.6", "status": "affected"}, {"version": "2.3.3.4", "status": "affected"}, {"version": "2.3.3.5", "status": "affected"}, {"version": "2.3.3.6", "status": "affected"}, {"version": "2.3.3.7", "status": "affected"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Access Control", "type": "cwe", "cweId": "CWE-284"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-ins-acc-con-nHAVDRBZ", "name": "cisco-sa-dnac-ins-acc-con-nHAVDRBZ"}], "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "source": {"advisory": "cisco-sa-dnac-ins-acc-con-nHAVDRBZ", "discovery": "INTERNAL", "defects": ["CSCwe98803"]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:05:36.882Z"}, "title": "CVE Program Container", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-ins-acc-con-nHAVDRBZ", "name": "cisco-sa-dnac-ins-acc-con-nHAVDRBZ", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:dna_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "055F029E-D366-42E8-B82C-7454F2FB5044", "versionEndExcluding": "2.3.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco DNA Center could allow an unauthenticated, remote attacker to read and modify data in a repository that belongs to an internal service on an affected device.\r\n\r This vulnerability is due to insufficient access control enforcement on API requests. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device."}, {"lang": "es", "value": "Una vulnerabilidad en Cisco DNA Center podr\u00eda permitir que un atacante remoto no autenticado lea y modifique datos en un repositorio que pertenece a un servicio interno en un dispositivo afectado. Esta vulnerabilidad se debe a una aplicaci\u00f3n insuficiente del control de acceso en las solicitudes de API. Un atacante podr\u00eda aprovechar esta vulnerabilidad enviando una solicitud API manipulada a un dispositivo afectado. Un exploit exitoso podr\u00eda permitir al atacante leer y modificar datos manejados por un servicio interno en el dispositivo afectado."}], "id": "CVE-2023-20223", "lastModified": "2024-01-25T17:15:38.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2023-09-27T18:15:11.240", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-ins-acc-con-nHAVDRBZ"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}