Skip to main content

Ios Xr CVE-2023-20191

HIGH
Improper Access Control (CWE-284)
2023-09-13 psirt@cisco.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 13, 2023 - 17:15 nvd
HIGH 7.5

DescriptionNVD

A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. There are workarounds that address this vulnerability.

This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication .

AnalysisAI

A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-284. A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. There are workarounds that address this vulnerability. This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication . Affected products include: Cisco Ios Xr.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Ios Xr

View all
CVE-2020-3284 CRITICAL
9.8 Nov 06

A vulnerability in the enhanced Preboot eXecution Environment (PXE) boot loader for Cisco IOS XR 64-bit Software could a

CVE-2019-1710 CRITICAL
9.8 Apr 17

A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco

CVE-2023-20190 MEDIUM POC
5.3 Sep 13

A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an una

CVE-2025-20138 HIGH
8.8 Mar 12

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary co

CVE-2026-20040 HIGH
8.8 Mar 11

Insufficient CLI argument validation in Cisco IOS XR Software enables authenticated local attackers to achieve root-leve

CVE-2026-20046 HIGH
8.8 Mar 11

Cisco IOS XR Software contains a task group mapping flaw in a specific CLI command that allows authenticated local attac

CVE-2024-20381 HIGH
8.8 Sep 11

A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator (NSO) and ConfD that is use

CVE-2020-3217 HIGH
8.8 Jun 03

A vulnerability in the Topology Discovery Service of Cisco One Platform Kit (onePK) in Cisco IOS Software, Cisco IOS XE

CVE-2020-3118 HIGH
8.8 Feb 05

A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated,

CVE-2018-0167 HIGH
8.8 Mar 28

Multiple Buffer Overflow vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Ci

CVE-2025-20115 HIGH
8.6 Mar 12

A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software coul

CVE-2025-20154 HIGH
8.6 May 07

A vulnerability in the Two-Way Active Measurement Protocol (TWAMP) server feature of Cisco IOS Software and Cisco IOS XE

Share

CVE-2023-20191 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy