CVE-2021-1384 — Command Injection in Cisco IOS XE

CWE-77 — Command Injection CWE-78 — OS Command Injection4 documents4 sources

Severity

7.2HIGHNVD

CNA6.5

EPSS

14.3%

top 5.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE Cisco IOS XE Software

Timeline

PublishedMar 24

Latest updateMay 24

Description

A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands into the underlying operating system as the root user. This vulnerability is due to incomplete validation of fields in the application packages loaded onto IOx. An attacker could exploit this vulnerability by creating a crafted application .tar file and loading it onto the device. A successful exploit could allow the attacker to perform command in…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco/cisco_ios_xe_softwaren/a

▶NVDcisco/ios_xe16.9.0 — 16.9.7+4

🔴Vulnerability Details

GHSA

GHSA-x749-h24f-x5rh: A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands↗2022-05-24

▶

CVEList

Cisco IOx for IOS XE Software Command Injection Vulnerability↗2021-03-24

▶

📋Vendor Advisories

Cisco

Cisco IOx for IOS XE Software Command Injection Vulnerability↗2021-03-24

▶