CVE-2014-2146Improper Input Validation in Cisco IOS

CWE-20Improper Input Validation3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 54.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOSCisco IOS XE
Timeline
PublishedSep 22
Latest updateMay 17

Description

The Zone-Based Firewall (ZBFW) functionality in Cisco IOS, possibly 15.4 and earlier, and IOS XE, possibly 3.13 and earlier, mishandles zone checking for existing sessions, which allows remote attackers to bypass intended resource-access restrictions via spoofed traffic that matches one of these sessions, aka Bug IDs CSCun94946 and CSCun96847.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDcisco/ios15.4\(1\)t1
NVDcisco/ios_xe15.4\(3\)s

🔴Vulnerability Details

2
GHSA
GHSA-cvf4-6mxr-vc38: The Zone-Based Firewall (ZBFW) functionality in Cisco IOS, possibly 152022-05-17
CVEList
CVE-2014-2146: The Zone-Based Firewall (ZBFW) functionality in Cisco IOS, possibly 152016-09-22
CVE-2014-2146 — Improper Input Validation in Cisco IOS | cvebase