CVE-2024-20316
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/03/2024
Last modified:
30/07/2025
Description
A vulnerability in the data model interface (DMI) services of Cisco IOS XE Software could allow an unauthenticated, remote attacker to access resources that should have been protected by a configured IPv4 access control list (ACL).<br />
<br />
This vulnerability is due to improper handling of error conditions when a successfully authorized device administrator updates an IPv4 ACL using the NETCONF or RESTCONF protocol, and the update would reorder access control entries (ACEs) in the updated ACL. An attacker could exploit this vulnerability by accessing resources that should have been protected across an affected device.
Impact
Base Score 3.x
5.80
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:cisco:ios_xe:16.3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.1a:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.3:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.4:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.5:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.5b:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.6:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.7:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.8:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.9:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.10:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.3.11:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.4.1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:16.4.2:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page