CVE-2020-3217Improper Input Validation in Cisco IOS XR Software

CWE-20Improper Input Validation5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 52.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Cisco IOS XR SoftwareCisco IOSCisco IOS XE+1 more
Timeline
PublishedJun 3
Latest updateMay 24

Description

A vulnerability in the Topology Discovery Service of Cisco One Platform Kit (onePK) in Cisco IOS Software, Cisco IOS XE Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient length restrictions when the onePK Topology Discovery Service parses Cisco Discovery Protocol messages. An attacker could exploit this vu

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDcisco/ios270 versions+269
NVDcisco/nx-os194 versions+193
NVDcisco/ios_xe164 versions+163

Patches

Patch: tools.cisco.comPatch: tools.cisco.com

🔴Vulnerability Details

2
GHSA
GHSA-hjm6-73rx-9qg9: A vulnerability in the Topology Discovery Service of Cisco One Platform Kit (onePK) in Cisco IOS Software, Cisco IOS XE Software, Cisco IOS XR Softwar2022-05-24
CVEList
Cisco IOS, IOS XE, IOS XR, and NX-OS Software One Platform Kit Remote Code Execution Vulnerability2020-06-03

📋Vendor Advisories

1
Cisco
Cisco IOS, IOS XE, IOS XR, and NX-OS Software One Platform Kit Remote Code Execution Vulnerability2020-06-03
CVE-2020-3217 — Improper Input Validation in Cisco | cvebase