CVE-2018-0194 — OS Command Injection in Cisco IOS XE

CWE-78 — OS Command Injection5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 52.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE

Timeline

PublishedApr 2

Latest updateMay 13

Description

Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands into the CLI of the affected software, which could allow the attacker to gain access to the underlying Linux shell of an affected device and execute commands with root privileges on the device. The vulnerabilities exist because the affected software does not sufficiently sanitize command arguments before passing commands to the Linux shell for execution. A…

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDcisco/ios_xe< 16.3.1

🔴Vulnerability Details

GHSA

GHSA-8mmm-fjmh-9w7w: Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands into the↗2022-05-13

▶

CVEList

CVE-2018-0194: Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands into the↗2018-04-02

▶

📋Vendor Advisories

Cisco

Cisco IOS XE Software CLI Command Injection Vulnerabilities↗2018-03-28

▶

Apache

Apache camel: CVE-2019-0194↗

▶