CVE-2017-3858 — Improper Input Validation in Cisco IOS XE

CWE-20 — Improper Input Validation4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 28.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE

Timeline

PublishedMar 22

Latest updateMay 17

Description

A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected web page parameter. The user must be authenticated to access the affected parameter. A successful expl…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDcisco/ios_xe16.2, 16.2.1+1

🔴Vulnerability Details

GHSA

GHSA-pqc9-4c3g-rwj3: A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are exec↗2022-05-17

▶

CVEList

CVE-2017-3858: A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are exec↗2017-03-22

▶

📋Vendor Advisories

Cisco

Cisco IOS XE Software HTTP Command Injection Vulnerability↗2017-03-22

▶