Access Control Vulnerability in Cisco Secure Workload
CVE-2023-20136

6.5MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Secure Workload
Vendor: CVE Published:; 28 June 2023

What is CVE-2023-20136?

A flaw in the OpenAPI of Cisco Secure Workload permits an authenticated, remote attacker with read-only privileges to perform actions meant for Administrator users. This vulnerability arises from inadequate role-based access control for specific OpenAPI functions. An attacker can exploit this by sending a specially crafted function call with valid credentials, thereby enabling unauthorized operations such as the creation and deletion of user labels, which should be strictly controlled.

Affected Version(s)

Cisco Secure Workload 1.102.21

Cisco Secure Workload 1.103.1.12

Cisco Secure Workload 2.0.1.34

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2023
Vulnerability Reserved
Oct 27, 2022