CVE-2024-20537

Опубликовано: 06 нояб. 2024

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions.

This vulnerability is due to a lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to conduct administrative functions beyond their intended access level. To exploit this vulnerability, an attacker would need Read-Only Administrator credentials.

Ссылки

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-BBRf7mkE
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cisco:identity_services_engine:3.0.0:-:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch3:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch4:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch5:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch6:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch7:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch8:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:-:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch3:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch4:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch5:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch6:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch7:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch8:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch9:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:-:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch3:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch4:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch5:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch6:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:-:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch2:*:*:*:*:*:*

EPSS

Процентиль: 24%

0.00084

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-fqm6-hhvg-fmrr

CVSS3: 6.5

github

больше 1 года назад

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions. This vulnerability is due to a lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to conduct administrative functions beyond their intended access level. To exploit this vulnerability, an attacker would need Read-Only Administrator credentials.

BDU:2024-09871

CVSS3: 6.5

fstec

больше 1 года назад

Уязвимость веб-интерфейса управления платформы управления политиками соединений Cisco Identity Services Engine (ISE), позволяющая нарушителю обойти ограничения безопасности и повысить свои привилегии

EPSS

Процентиль: 24%

0.00084

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-863