CVE-2024-20537

Summary

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions.

This vulnerability is due to a lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to conduct administrative functions beyond their intended access level. To exploit this vulnerability, an attacker would need Read-Only Administrator credentials.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Identity Services Engine Software3.0.0affected
CiscoCisco Identity Services Engine Software3.0.0 p1affected
CiscoCisco Identity Services Engine Software3.0.0 p2affected
CiscoCisco Identity Services Engine Software3.0.0 p3affected
CiscoCisco Identity Services Engine Software3.1.0affected
CiscoCisco Identity Services Engine Software3.0.0 p4affected
CiscoCisco Identity Services Engine Software3.1.0 p1affected
CiscoCisco Identity Services Engine Software3.0.0 p5affected
CiscoCisco Identity Services Engine Software3.1.0 p3affected
CiscoCisco Identity Services Engine Software3.1.0 p2affected
CiscoCisco Identity Services Engine Software3.0.0 p6affected
CiscoCisco Identity Services Engine Software3.2.0affected
CiscoCisco Identity Services Engine Software3.1.0 p4affected
CiscoCisco Identity Services Engine Software3.1.0 p5affected
CiscoCisco Identity Services Engine Software3.2.0 p1affected
CiscoCisco Identity Services Engine Software3.0.0 p7affected
CiscoCisco Identity Services Engine Software3.1.0 p6affected
CiscoCisco Identity Services Engine Software3.2.0 p2affected
CiscoCisco Identity Services Engine Software3.1.0 p7affected
CiscoCisco Identity Services Engine Software3.3.0affected
CiscoCisco Identity Services Engine Software3.2.0 p3affected
CiscoCisco Identity Services Engine Software3.0.0 p8affected
CiscoCisco Identity Services Engine Software3.2.0 p4affected
CiscoCisco Identity Services Engine Software3.1.0 p8affected
CiscoCisco Identity Services Engine Software3.2.0 p5affected
CiscoCisco Identity Services Engine Software3.2.0 p6affected
CiscoCisco Identity Services Engine Software3.1.0 p9affected
CiscoCisco Identity Services Engine Software3.3 Patch 2affected
CiscoCisco Identity Services Engine Software3.3 Patch 1affected

Weaknesses

  • CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References