Access Control Flaw in Cisco APIC Affecting Multi-Tenant Policies
CVE-2023-20230

5.4MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Application Policy Infrastructure Controller (apic)
Vendor: CVE Published:; 23 August 2023

Badges

👾 Exploit Exists

Summary

A vulnerability in the implementation of restricted security domains in Cisco's Application Policy Infrastructure Controller (APIC) could permit an authenticated remote attacker to read, modify, or delete non-tenant policies. This issue arises from improper access control measures allowing access to security domain policies beyond tenant boundaries. An attacker with a valid user account within a restricted security domain can exploit this vulnerability, leading to unauthorized manipulation of policies associated with other security domains. It is essential to note that policies under tenants that the attacker is not authorized to access remain protected against exploitation.

Affected Version(s)

Cisco Application Policy Infrastructure Controller (APIC) 5.2(6e)

Cisco Application Policy Infrastructure Controller (APIC) 5.2(6g)

Cisco Application Policy Infrastructure Controller (APIC) 5.2(7f)

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Oct 1, 2024
Vulnerability published
Aug 23, 2023
Vulnerability Reserved
Oct 27, 2022