CVE-2023-20260 : A vulnerability in the application CLI of Cisco Prime Infrastructure and Cisco E

A vulnerability in the application CLI of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager could allow an authenticated, local attacker to gain escalated privileges. This vulnerability is due to improper processing of command line arguments to application scripts. An attacker could exploit this vulnerability by issuing a command on the CLI with malicious options. A successful exploit could allow the attacker to gain the escalated privileges of the root user on the underlying operating system.

Published 2024-01-17 17:15:10

Updated 2024-02-02 16:15:46

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2023-20260

Cisco » Prime Infrastructure
Versions before (<) 3.10.4
cpe:2.3:a:cisco:prime_infrastructure:*:*:*:*:*:*:*:*
Matching versions
Cisco » Prime Infrastructure » Version: 3.10.4
cpe:2.3:a:cisco:prime_infrastructure:3.10.4:-:*:*:*:*:*:*
Matching versions
Cisco » Prime Infrastructure » Version: 3.10.4 Update Update 1
cpe:2.3:a:cisco:prime_infrastructure:3.10.4:update_1:*:*:*:*:*:*
Matching versions
Cisco » Evolved Programmable Network Manager
Versions before (<) 7.1.1
cpe:2.3:a:cisco:evolved_programmable_network_manager:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-20260

EPSS FAQ

0.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-20260

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	NIST	2024-01-24
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.0	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N	0.8	5.2	Cisco Systems, Inc.	2024-01-17
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2023-20260

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Assigned by: nvd@nist.gov (Primary)
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: ykramarz@cisco.com (Secondary)

References for CVE-2023-20260

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-wkZJeyeq

Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Vulnerabilities
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-20260

Products affected by CVE-2023-20260

Exploit prediction scoring system (EPSS) score for CVE-2023-20260

CVSS scores for CVE-2023-20260

CWE ids for CVE-2023-20260

References for CVE-2023-20260