CVE-2018-0477Command Injection in Cisco IOS XE Software

CWE-77Command InjectionCWE-78OS Command Injection4 documents4 sources
Severity
6.7MEDIUMNVD
EPSS
0.0%
top 87.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedOct 5
Latest updateMay 13

Description

A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exist because the affected software improperly sanitizes command arguments, failing to prevent access to certain internal data structures on an affected device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit these vulnerabilit

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe15.3\(3\)s3.16, 16.7.1, 16.7\(1\)+2

🔴Vulnerability Details

2
GHSA
GHSA-x627-jg77-frxc: A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux sh2022-05-13
CVEList
Cisco IOS XE Software Command Injection Vulnerabilities2018-10-05

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Command Injection Vulnerabilities2018-09-26
CVE-2018-0477 — Command Injection in Cisco | cvebase