What is the severity of CVE-2020-3223?

CVE-2020-3223 has a CVSS score that indicates high severity due to its potential for exposing sensitive filesystem data.

How do I fix CVE-2020-3223?

To remediate CVE-2020-3223, upgrade your Cisco IOS XE Software to the recommended versions provided in the security advisory.

Who is affected by CVE-2020-3223?

CVE-2020-3223 affects devices running vulnerable versions of Cisco IOS XE Software with a web-based user interface.

Can CVE-2020-3223 be exploited remotely?

Yes, CVE-2020-3223 can be exploited by an authenticated remote attacker with administrative privileges.

What type of vulnerability is CVE-2020-3223?

CVE-2020-3223 is classified as a path traversal vulnerability that allows file reading on the underlying filesystem.

Vulnerability/
CVE-2020-3223

medium

6.8

CWE

3/6/2020

15/11/2024

CVE-2020-3223: Cisco IOS XE Software Web UI Arbitrary File Read Vulnerability

First published: Wed Jun 03 2020(Updated: )

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to read arbitrary files on the underlying filesystem of the device. The vulnerability is due to insufficient file scope limiting. An attacker could exploit this vulnerability by creating a specific file reference on the filesystem and then accessing it through the web UI. An exploit could allow the attacker to read arbitrary files from the underlying operating system's filesystem.

Credit: ykramarz@cisco.com

Affected Software	Affected Version	How to fix
Cisco IOS XE Web UI	=16.9.4
Cisco IOS XE Web UI	=16.9.4c
Cisco IOS XE Web UI	=16.11.1
Cisco IOS XE Web UI	=16.11.1a
Cisco IOS XE Web UI	=16.11.1b
Cisco IOS XE Web UI	=16.11.1c
Cisco IOS XE Web UI	=16.11.1s
Cisco IOS XE Web UI	=16.11.2
Cisco IOS XE Web UI	=16.12.1
Cisco IOS XE Web UI	=16.12.1a
Cisco IOS XE Web UI	=16.12.1c
Cisco IOS XE Web UI	=16.12.1s
Cisco IOS XE Web UI	=16.12.1t
Cisco IOS XE Web UI	=16.12.1w
Cisco IOS XE Web UI	=16.12.1y

Remedy

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-filerd-HngnDYGk

Never miss a vulnerability like this again

Reference Links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-filerd-HngnDYGk

Frequently Asked Questions

What is the severity of CVE-2020-3223?
CVE-2020-3223 has a CVSS score that indicates high severity due to its potential for exposing sensitive filesystem data.
How do I fix CVE-2020-3223?
To remediate CVE-2020-3223, upgrade your Cisco IOS XE Software to the recommended versions provided in the security advisory.
Who is affected by CVE-2020-3223?
CVE-2020-3223 affects devices running vulnerable versions of Cisco IOS XE Software with a web-based user interface.
Can CVE-2020-3223 be exploited remotely?
Yes, CVE-2020-3223 can be exploited by an authenticated remote attacker with administrative privileges.
What type of vulnerability is CVE-2020-3223?
CVE-2020-3223 is classified as a path traversal vulnerability that allows file reading on the underlying filesystem.

agent/type
agent/softwarecombine
agent/title
agent/weakness
agent/author
agent/severity
agent/remedy
agent/references
agent/description
agent/first-publish-date
agent/event
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/cisco
canonical/cisco ios xe web ui
version/cisco ios xe web ui/16.9.4
version/cisco ios xe web ui/16.9.4c
version/cisco ios xe web ui/16.11.1
version/cisco ios xe web ui/16.11.1a
version/cisco ios xe web ui/16.11.1b
version/cisco ios xe web ui/16.11.1c
version/cisco ios xe web ui/16.11.1s
version/cisco ios xe web ui/16.11.2
version/cisco ios xe web ui/16.12.1
version/cisco ios xe web ui/16.12.1a
version/cisco ios xe web ui/16.12.1c
version/cisco ios xe web ui/16.12.1s
version/cisco ios xe web ui/16.12.1t
version/cisco ios xe web ui/16.12.1w
version/cisco ios xe web ui/16.12.1y