Denial of Service Vulnerability in Cisco Network Services Orchestrator
CVE-2023-20040

5.5MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Network Services Orchestrator
Vendor: CVE Published:; 20 January 2023

What is CVE-2023-20040?

A vulnerability in the NETCONF service of Cisco Network Services Orchestrator (NSO) allows authenticated remote attackers to trigger a denial of service (DoS) condition on affected systems running as the root user. This issue arises from inadequate validation of user-supplied input during the package upload process. An attacker, with admin group access, can exploit this flaw by uploading a maliciously crafted package file, potentially leading to arbitrary file manipulations on the affected device's filesystem, including both file creations and deletions, thus causing service disruptions.

Affected Version(s)

Cisco Network Services Orchestrator 4.7.3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 20, 2023
Vulnerability Reserved
Oct 27, 2022