CVE-2024-20528

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to upload files to arbitrary locations on the underlying operating system of an affected device. To exploit this vulnerability, an attacker would need valid Super Admin credentials. This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to upload custom files to arbitrary locations on the underlying operating system, execute arbitrary code, and elevate privileges to root.

CVSS v3 3.8 LOW

3.8^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-vuln-DBQdWRy	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:identity_services_engine::::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:-::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch3::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch4::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch5::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch6::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch7::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch8::::::
	cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch9::::::
	cpe:2.3:a:cisco:identity_services_engine:3.2.0:-::::::
	cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch3::::::
	cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch4::::::
	cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch5::::::
	cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch6::::::
	cpe:2.3:a:cisco:identity_services_engine:3.3.0:-::::::
	cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch3::::::

History

28 Apr 2025, 16:54

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad en la API de Cisco ISE podría permitir que un atacante remoto autenticado cargue archivos en ubicaciones arbitrarias en el sistema operativo subyacente de un dispositivo afectado. Para explotar esta vulnerabilidad, un atacante necesitaría credenciales de superadministrador válidas. Esta vulnerabilidad se debe a una validación insuficiente de los parámetros proporcionados por el usuario en las solicitudes de API. Un atacante podría explotar esta vulnerabilidad enviando una solicitud de API manipulada a un dispositivo afectado. Una explotación exitosa podría permitir al atacante cargar archivos personalizados en ubicaciones arbitrarias en el sistema operativo subyacente, ejecutar código arbitrario y elevar los privilegios a superusuario.
References	~~() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-vuln-DBQdWRy -~~	() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-vuln-DBQdWRy - Vendor Advisory
First Time		Cisco identity Services Engine Cisco
CPE		cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch2:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch5:::::: cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch5:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch8:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:-:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch7:::::: cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch2:::::: cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch1:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch9:::::: cpe:2.3:a:cisco:identity_services_engine:::::::: cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch3:::::: cpe:2.3:a:cisco:identity_services_engine:3.2.0:-:::::: cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch1:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch6:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch2:::::: cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch6:::::: cpe:2.3:a:cisco:identity_services_engine:3.3.0:-:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch1:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch3:::::: cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch4:::::: cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch3:::::: cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch4::::::

06 Nov 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-06 17:15

Updated : 2025-04-28 16:54

NVD link : CVE-2024-20528

Mitre link : CVE-2024-20528

CVE.ORG link : CVE-2024-20528

JSON object : View

Products Affected

cisco

identity_services_engine

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

3.8 /10