CVE-2020-3222
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/06/2020
Last modified:
22/09/2021
Description
A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass access control restrictions on an affected device. The vulnerability is due to the presence of a proxy service at a specific endpoint of the web UI. An attacker could exploit this vulnerability by connecting to the proxy service. An exploit could allow the attacker to bypass access restrictions on the network by proxying their access request through the management network of the affected device. As the proxy is reached over the management virtual routing and forwarding (VRF), this could reduce the effectiveness of the bypass.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
Base Score 2.0
3.30
Severity 2.0
LOW
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:cisco:ios_xe:16.10.1:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.1a:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.1b:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.1c:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.1d:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.1e:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.1f:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.1g:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.1s:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.10.2:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.11.1:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.11.1a:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.11.1b:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.11.1c:*:*:*:*:*:*:* | ||
cpe:2.3:o:cisco:ios_xe:16.11.1s:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page