CVE-2015-6385 — Improper Input Validation in Cisco IOS

CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 82.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS

Timeline

PublishedDec 1

Latest updateMay 17

Description

The publish-event event-manager feature in Cisco IOS 15.5(2)S and 15.5(3)S on Cloud Services Router 1000V devices allows local users to execute arbitrary commands with root privileges by leveraging administrative access to enter crafted environment variables, aka Bug ID CSCux14943.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages1 packages

▶NVDcisco/ios15.5\(2\)s, 15.5\(3\)s+1

🔴Vulnerability Details

GHSA

GHSA-2j8f-gpq9-f2mv: The publish-event event-manager feature in Cisco IOS 15↗2022-05-17

▶

CVEList

CVE-2015-6385: The publish-event event-manager feature in Cisco IOS 15↗2015-12-01

▶

📋Vendor Advisories

Cisco

Cisco Cloud Services Router 1000V Command Injection Vulnerability↗2015-11-30

▶