CVE-2017-12228Improper Input Validation in Cisco IOS XE

CWE-20Improper Input ValidationCWE-295Improper Certificate Validation4 documents4 sources
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 44.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XECisco IOS
Timeline
PublishedSep 29
Latest updateMay 13

Description

A vulnerability in the Cisco Network Plug and Play application of Cisco IOS 12.4 through 15.6 and Cisco IOS XE 3.3 through 16.4 could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to con

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

NVDcisco/ios_xe15.4\(3\)s+144
NVDcisco/ios436 versions+435

🔴Vulnerability Details

2
GHSA
GHSA-58h4-9j5q-gmvr: A vulnerability in the Cisco Network Plug and Play application of Cisco IOS 122022-05-13
CVEList
CVE-2017-12228: A vulnerability in the Cisco Network Plug and Play application of Cisco IOS 122017-09-28

📋Vendor Advisories

1
Cisco
Cisco IOS and IOS XE Software Plug-and-Play PKI API Certificate Validation Vulnerability2017-09-27
CVE-2017-12228 — Improper Input Validation in Cisco | cvebase