CVE-2023-20230
A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to read, modify, or delete non-tenant policies (for example, access policies) created by users associated with a different security domain on an affected system. This vulnerability is due to improper access control when restricted security domains are used to implement multi-tenancy for policies outside the tenant boundaries. An attacker with a valid user account associated with a restricted security domain could exploit this vulnerability. A successful exploit could allow the attacker to read, modify, or delete policies created by users associated with a different security domain. Exploitation is not possible for policies under tenants that an attacker has no authorization to access.
EPSS 0.23% · 46.3th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| cisco | application_policy_infrastructure_controller | 5.2, 6.0 |
| Cisco | Cisco Application Policy Infrastructure Controller (APIC) | 5.2(6e), 5.2(6g), 5.2(7f) |
Exploit Intelligence
- cisco-sa-apic-uapa-F4TAShk (circl)
Timeline
- Aug 23, 2023 CVE Published
- Aug 24, 2023 EPSS Score
- Sep 26, 2023 EPSS Score
- Oct 29, 2023 EPSS Score
- Dec 1, 2023 EPSS Score
- Jan 3, 2024 EPSS Score
- Feb 6, 2024 EPSS Score
- Mar 10, 2024 EPSS Score
- Apr 12, 2024 EPSS Score
- May 15, 2024 EPSS Score
- Jun 17, 2024 EPSS Score
- Jul 20, 2024 EPSS Score