Cisco has patched two high-severity vulnerabilities affecting components of its Application Centric Infrastructure software-defined networking solution.
The first flaw tracked as, CVE-2023-20011, impacts the management interface of the Cisco Application Policy Infrastructure Controller (APIC) and Cloud Network Controller. APIC is the unified point of automation and management for ACI.
The vulnerability can be exploited by a remote, unauthenticated attacker to conduct cross-site request forgery attacks by tricking a user into clicking on a malicious link. The attacker could then conduct activities on the targeted system with the privileges of the compromised user.
The second flaw is a high-severity issue, tracked as CVE-2023-20089 which affects Cisco Nexus 9000 series Fabric switches in ACI mode, and it can be exploited for DoS attacks by an unauthenticated, adjacent attacker. But several conditions need to be met for exploitation.
Cisco also patched medium-severity flaws in other products, UCS Manager and FXOS software issue that exposes backup files, a command injection bug in NX-OS, a command injection in Firepower appliances, and an authentication bypass vulnerability in Nexus extenders.