A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials.
This vulnerability is due to improper role-based access control (RBAC) of certain OpenAPI operations. An attacker could exploit this vulnerability by issuing a crafted OpenAPI function call with valid credentials. A successful exploit could allow the attacker to execute OpenAPI operations that are reserved for the Administrator user, including the creation and deletion of user labels.
References
Link | Resource |
---|---|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-auth-openapi-kTndjdNX | Vendor Advisory |
Configurations
History
25 Jan 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-648 |
12 Jul 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
Summary | A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials. This vulnerability is due to improper role-based access control (RBAC) of certain OpenAPI operations. An attacker could exploit this vulnerability by issuing a crafted OpenAPI function call with valid credentials. A successful exploit could allow the attacker to execute OpenAPI operations that are reserved for the Administrator user, including the creation and deletion of user labels. |
08 Jul 2023, 00:38
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CWE | CWE-269 | |
First Time |
Cisco secure Workload
Cisco |
|
References | (CISCO) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-auth-openapi-kTndjdNX - Vendor Advisory | |
CPE | cpe:2.3:a:cisco:secure_workload:*:*:*:*:*:*:*:* |
28 Jun 2023, 15:25
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-28 15:15
Updated : 2024-01-25 17:15
NVD link : CVE-2023-20136
Mitre link : CVE-2023-20136
CVE.ORG link : CVE-2023-20136
JSON object : View
Products Affected
cisco
- secure_workload