First published: Thu Mar 23 2023(Updated: )
A vulnerability in the implementation of the Cisco Network Plug-and-Play (PnP) agent of Cisco DNA Center could allow an authenticated, remote attacker to view sensitive information in clear text. The attacker must have valid low-privileged user credentials. This vulnerability is due to improper role-based access control (RBAC) with the integration of PnP. An attacker could exploit this vulnerability by authenticating to the device and sending a query to an internal API. A successful exploit could allow the attacker to view sensitive information in clear text, which could include configuration files.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco DNA Center | <2.3.3.7 | |
Cisco DNA Center | >=2.3.4.0<2.3.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-20059 is a vulnerability in the implementation of the Cisco Network Plug-and-Play (PnP) agent of Cisco DNA Center that allows an authenticated, remote attacker to view sensitive information in plain text.
CVE-2023-20059 has a severity value of 6.5, which is considered medium.
CVE-2023-20059 affects Cisco DNA Center versions up to 2.3.3.7 and versions between 2.3.4.0 to 2.3.5.0.
An attacker with valid low-privileged user credentials can exploit CVE-2023-20059 to view sensitive information in clear text.
It is recommended to update Cisco DNA Center to a version that is not affected by CVE-2023-20059. Refer to the Cisco Security Advisory for more information.