CVE-2020-3423 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Cisco IOS XE Software 3.7.0s

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer4 documents3 sources

Severity

6.7MEDIUMNVD

EPSS

0.1%

top 81.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE Software 3.7.0s Cisco IOS XE

Timeline

PublishedSep 24

Latest updateMay 24

Description

A vulnerability in the implementation of the Lua interpreter that is integrated in Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary code with root privileges on the underlying Linux operating system (OS) of an affected device. The vulnerability is due to insufficient restrictions on Lua function calls within the context of user-supplied Lua scripts. An attacker with valid administrative credentials could exploit this vulnerability by submitting a malicious …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco/cisco_ios_xe_software_3.7.0sn/a

▶ciscocisco/ios_xe

🔴Vulnerability Details

GHSA

GHSA-g8rg-fgr5-jxrm: A vulnerability in the implementation of the Lua interpreter that is integrated in Cisco IOS XE Software could allow an authenticated, local attacker↗2022-05-24

▶

📋Vendor Advisories

Cisco

Cisco IOS XE Software Arbitrary Code Execution Vulnerability↗2020-09-24

▶

Cisco

Cisco IOS XE Software Arbitrary Code Execution Vulnerability↗

▶