CVE-2023-20136

Summary

A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials. This vulnerability is due to improper role-based access control (RBAC) of certain OpenAPI operations. An attacker could exploit this vulnerability by issuing a crafted OpenAPI function call with valid credentials. A successful exploit could allow the attacker to execute OpenAPI operations that are reserved for the Administrator user, including the creation and deletion of user labels.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Workload1.102.21affected
CiscoCisco Secure Workload1.103.1.12affected
CiscoCisco Secure Workload2.0.1.34affected
CiscoCisco Secure Workload2.0.2.20affected
CiscoCisco Secure Workload2.1.1.29affected
CiscoCisco Secure Workload2.1.1.31affected
CiscoCisco Secure Workload2.1.1.33affected
CiscoCisco Secure Workload2.2.1.34affected
CiscoCisco Secure Workload2.2.1.35affected
CiscoCisco Secure Workload2.2.1.39affected
CiscoCisco Secure Workload2.2.1.41affected
CiscoCisco Secure Workload2.3.1.41affected
CiscoCisco Secure Workload2.3.1.45affected
CiscoCisco Secure Workload2.3.1.49affected
CiscoCisco Secure Workload2.3.1.50affected
CiscoCisco Secure Workload2.3.1.51affected
CiscoCisco Secure Workload2.3.1.52affected
CiscoCisco Secure Workload2.3.1.53affected
CiscoCisco Secure Workload3.1.1.53affected
CiscoCisco Secure Workload3.1.1.54affected
CiscoCisco Secure Workload3.1.1.55affected
CiscoCisco Secure Workload3.1.1.59affected
CiscoCisco Secure Workload3.1.1.61affected
CiscoCisco Secure Workload3.1.1.65affected
CiscoCisco Secure Workload3.1.1.67affected
CiscoCisco Secure Workload3.1.1.70affected
CiscoCisco Secure Workload3.2.1.18affected
CiscoCisco Secure Workload3.2.1.19affected
CiscoCisco Secure Workload3.2.1.20affected
CiscoCisco Secure Workload3.2.1.28affected
CiscoCisco Secure Workload3.2.1.31affected
CiscoCisco Secure Workload3.2.1.32affected
CiscoCisco Secure Workload3.2.1.33affected
CiscoCisco Secure Workload3.3.2.12affected
CiscoCisco Secure Workload3.3.2.16affected
CiscoCisco Secure Workload3.3.2.2affected
CiscoCisco Secure Workload3.3.2.23affected
CiscoCisco Secure Workload3.3.2.28affected
CiscoCisco Secure Workload3.3.2.33affected
CiscoCisco Secure Workload3.3.2.35affected
CiscoCisco Secure Workload3.3.2.42affected
CiscoCisco Secure Workload3.3.2.5affected
CiscoCisco Secure Workload3.3.2.50affected
CiscoCisco Secure Workload3.3.2.53affected
CiscoCisco Secure Workload3.4.1.1affected
CiscoCisco Secure Workload3.4.1.14affected
CiscoCisco Secure Workload3.4.1.19affected
CiscoCisco Secure Workload3.4.1.20affected
CiscoCisco Secure Workload3.4.1.28affected
CiscoCisco Secure Workload3.4.1.34affected
CiscoCisco Secure Workload3.4.1.35affected
CiscoCisco Secure Workload3.4.1.6affected
CiscoCisco Secure Workload3.4.1.40affected
CiscoCisco Secure Workload3.5.1.1affected
CiscoCisco Secure Workload3.5.1.17affected
CiscoCisco Secure Workload3.5.1.2affected
CiscoCisco Secure Workload3.5.1.20affected
CiscoCisco Secure Workload3.5.1.23affected
CiscoCisco Secure Workload3.5.1.30affected
CiscoCisco Secure Workload3.5.1.31affected
CiscoCisco Secure Workload3.5.1.37affected
CiscoCisco Secure Workload3.6.1.17affected
CiscoCisco Secure Workload3.6.1.21affected
CiscoCisco Secure Workload3.6.1.36affected
CiscoCisco Secure Workload3.6.1.47affected
CiscoCisco Secure Workload3.6.1.5affected
CiscoCisco Secure Workload3.6.1.52affected
CiscoCisco Secure Workload3.7.1.22affected
CiscoCisco Secure Workload3.7.1.5affected

Weaknesses

  • CWE-648: Incorrect Use of Privileged APIs

ADP Enrichment

CVE Program Container

Additional References

References