Cisco IOS XE Software Vulnerability: Unauthorized Access to Protected Resources

CVE-2024-20316

5.8MEDIUM

Key Information

Vendor: Cisco
Status: Cisco iOS Xe Software
Vendor: CVE Published:; 27 March 2024

Badges

👾 Exploit Exists

Summary

A vulnerability in the data model interface (DMI) services of Cisco IOS XE Software could allow an unauthenticated, remote attacker to access resources that should have been protected by a configured IPv4 access control list (ACL).

This vulnerability is due to improper handling of error conditions when a successfully authorized device administrator updates an IPv4 ACL using the NETCONF or RESTCONF protocol, and the update would reorder access control entries (ACEs) in the updated ACL. An attacker could exploit this vulnerability by accessing resources that should have been protected across an affected device.

Affected Version(s)

Cisco IOS XE Software = 16.3.1

Cisco IOS XE Software = 16.3.2

Cisco IOS XE Software = 16.3.3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

👾
Exploit known to exist
Jun 20, 2024
Vulnerability published
Mar 27, 2024
Vulnerability Reserved
Nov 8, 2023

Collectors

NVD DatabaseMitre Database