CVE-2024-20537

06.11.2024, 17:15

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions.

This vulnerability is due to a lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to conduct administrative functions beyond their intended access level. To exploit this vulnerability, an attacker would need Read-Only Administrator credentials.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
cisco	CNA	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Vendor	Product	Version
cisco	identity_services_engine	3.0.0
cisco	identity_services_engine	3.0.0:patch1
cisco	identity_services_engine	3.0.0:patch2
cisco	identity_services_engine	3.0.0:patch3
cisco	identity_services_engine	3.0.0:patch4
cisco	identity_services_engine	3.0.0:patch5
cisco	identity_services_engine	3.0.0:patch6
cisco	identity_services_engine	3.0.0:patch7
cisco	identity_services_engine	3.0.0:patch8
cisco	identity_services_engine	3.1.0
cisco	identity_services_engine	3.1.0:patch1
cisco	identity_services_engine	3.1.0:patch2
cisco	identity_services_engine	3.1.0:patch3
cisco	identity_services_engine	3.1.0:patch4
cisco	identity_services_engine	3.1.0:patch5
cisco	identity_services_engine	3.1.0:patch6
cisco	identity_services_engine	3.1.0:patch7
cisco	identity_services_engine	3.1.0:patch8
cisco	identity_services_engine	3.1.0:patch9
cisco	identity_services_engine	3.2.0
cisco	identity_services_engine	3.2.0:patch1
cisco	identity_services_engine	3.2.0:patch2
cisco	identity_services_engine	3.2.0:patch3
cisco	identity_services_engine	3.2.0:patch4
cisco	identity_services_engine	3.2.0:patch5
cisco	identity_services_engine	3.2.0:patch6
cisco	identity_services_engine	3.3.0
cisco	identity_services_engine	3.3.0:patch1
cisco	identity_services_engine	3.3.0:patch2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-BBRf7mkE