Description

A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands into the underlying operating system as the root user. This vulnerability is due to incomplete validation of fields in the application packages loaded onto IOx. An attacker could exploit this vulnerability by creating a crafted application .tar file and loading it onto the device. A successful exploit could allow the attacker to perform command injection into the underlying operating system as the root user.

Related CPE's

o

cisco

ios_xe

5

References

https://github.com/orangecertcc/security-research/security/advisories/GHSA-h332-fj6p-2232

ExploitThird Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-cmdinj-RkSURGHG

Vendor Advisory

Weaknesses

[email protected]

Primary
CWE-78

[email protected]

Secondary
CWE-77

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-03-24T20:15:13.743

4 years ago

Last modified

2023-11-07T03:28:09.423

1 year ago