Cyber Resilience

CVE-2023-20230

Medium

Published: 23 August 2023

Published
23 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0023 46.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20230 is a medium-severity Improper Access Control (CWE-284) vulnerability in Cisco Application Policy Infrastructure Controller. Its CVSS base score is 5.4 (Medium).

Operationally, ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to read, modify, or delete non-tenant policies (for example, access policies) created by users associated with a different security…

more

domain on an affected system. This vulnerability is due to improper access control when restricted security domains are used to implement multi-tenancy for policies outside the tenant boundaries. An attacker with a valid user account associated with a restricted security domain could exploit this vulnerability. A successful exploit could allow the attacker to read, modify, or delete policies created by users associated with a different security domain. Exploitation is not possible for policies under tenants that an attacker has no authorization to access.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
application policy infrastructure controller
5.2 — 5.2\(8d\) · 6.0 — 6.0\(3d\)

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-732

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

addresses: CWE-284 CWE-732

Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.

addresses: CWE-732 CWE-284

Prevents overly permissive assignments to critical resources by limiting to task needs.

addresses: CWE-284 CWE-732

The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.

addresses: CWE-284 CWE-732

Security training teaches access control policies and enforcement, reducing improper access control implementations.

addresses: CWE-284 CWE-732

The control directly enforces access controls to prevent unauthorized access, modification, or deletion of audit information and tools.

addresses: CWE-284 CWE-732

Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation.

addresses: CWE-284 CWE-732

Certification requires independent assessment confirming access controls are implemented correctly and effective.

References