CVE-2020-3467

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. The vulnerability is due to improper enforcement of role-based access control (RBAC) within the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to modify parts of the configuration. The modified configuration could either allow unauthorized devices onto the network or prevent authorized devices from accessing the network. To exploit this vulnerability, an attacker would need valid Read-Only Administrator credentials.

CVSS v3 7.7 HIGH
CVSS v2.0 5.5 MEDIUM

7.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

5.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:P

Exploitability : 8.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-uJWqLTZM	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:identity_services_engine::::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4\(0.357\):::::::*
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch10::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch11::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch12::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch3::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch4::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch5::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch6::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch7::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch8::::::
	cpe:2.3:a:cisco:identity_services_engine:2.4.0.357:patch9::::::
	cpe:2.3:a:cisco:identity_services_engine:2.5:::::::*
	cpe:2.3:a:cisco:identity_services_engine:2.6\(0.156\):::::::*
	cpe:2.3:a:cisco:identity_services_engine:2.6.0:-::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0.156:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0.156:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0.156:patch3::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0.156:patch5::::::
	cpe:2.3:a:cisco:identity_services_engine:2.6.0.156:patch6::::::
	cpe:2.3:a:cisco:identity_services_engine:2.7:::::::*
	cpe:2.3:a:cisco:identity_services_engine:2.7\(0.356\):::::::*
	cpe:2.3:a:cisco:identity_services_engine:2.7.0.356:patch1::::::

History

No history.

Information

Published : 2020-10-08 05:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-3467

Mitre link : CVE-2020-3467

CVE.ORG link : CVE-2020-3467

JSON object : View

Products Affected

cisco

identity_services_engine

CWE

CWE-863

Incorrect Authorization

7.7 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

5.5 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2020-3467

7.7^/10

5.5^/10

Attach tags to `CVE-2020-3467`