CVE-2020-3393Improper Privilege Management in Cisco IOS XE Software

CWE-269Improper Privilege ManagementCWE-20Improper Input Validation4 documents4 sources
Severity
7.8HIGHNVD
CNA6.0
EPSS
0.1%
top 71.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedSep 24
Latest updateMay 24

Description

A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. The attacker could execute IOS XE commands outside the application-hosting subsystem Docker container as well as on the underlying Linux operating system. These commands could be run as the root user. The vulnerability is due to a combination of two factors: (a) incomplete input validation of the user payload of CLI comman

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe16.12.1

🔴Vulnerability Details

2
GHSA
GHSA-h3p2-pf2r-9cvv: A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to ro2022-05-24
CVEList
Cisco IOS XE Software IOx Application Hosting Privilege Escalation Vulnerability2020-09-24

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software IOx Application Hosting Privilege Escalation Vulnerability2020-09-24
CVE-2020-3393 — Improper Privilege Management in Cisco | cvebase