CVE-2014-7990Improper Input Validation in Cisco IOS XE

CWE-20Improper Input Validation4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.1%
top 75.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE
Timeline
PublishedNov 7
Latest updateMay 17

Description

Cisco IOS XE 3.5E and earlier on WS-C3850, WS-C3860, and AIR-CT5760 devices does not properly parse the "request system shell" challenge response, which allows local users to obtain Linux root access by leveraging administrative privilege, aka Bug ID CSCur09815.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.1 | Impact: 10.0

Affected Packages1 packages

NVDcisco/ios_xe3.5e

🔴Vulnerability Details

2
GHSA
GHSA-m25p-g3cf-hvcp: Cisco IOS XE 32022-05-17
CVEList
CVE-2014-7990: Cisco IOS XE 32014-11-07

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Challenge/Response Bypass Vulnerability2014-11-06
CVE-2014-7990 — Improper Input Validation in Cisco | cvebase