Vulnerability Details : CVE-2023-20088
A vulnerability in the nginx configurations that are provided as part of the VPN-less reverse proxy for Cisco Finesse could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for new and existing users who are connected through a load balancer. This vulnerability is due to improper IP address filtering by the reverse proxy. An attacker could exploit this vulnerability by sending a series of unauthenticated requests to the reverse proxy. A successful exploit could allow the attacker to cause all current traffic and subsequent requests to the reverse proxy through a load balancer to be dropped, resulting in a DoS condition.
Vulnerability category: BypassGain privilegeDenial of service
Products affected by CVE-2023-20088
- cpe:2.3:a:cisco:finesse:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:finesse:12.6\(1\):-:*:*:*:*:*:*
- cpe:2.3:a:cisco:finesse:12.6\(1\):es01:*:*:*:*:*:*
- cpe:2.3:a:cisco:finesse:12.6\(1\):es02:*:*:*:*:*:*
- cpe:2.3:a:cisco:finesse:12.6\(1\):es03:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-20088
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-20088
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
Cisco Systems, Inc. | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-20088
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: ykramarz@cisco.com (Secondary)
References for CVE-2023-20088
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-proxy-dos-vY5dQhrV
Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service VulnerabilityVendor Advisory
Jump to