CVE-2021-1390Write-what-where Condition in Cisco IOS XE Software

CWE-123Write-what-where ConditionCWE-1390Weak Authentication6 documents5 sources
Severity
6.7MEDIUMNVD
CNA5.1CISA9.8CISA7.8
EPSS
0.0%
top 87.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 24
Latest updateMay 24

Description

A vulnerability in one of the diagnostic test CLI commands of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker would need to have valid user credentials at privilege level 15. This vulnerability exists because the affected software permits modification of the run-time memory of an affected device under specific circumstances. An attacker could exploit this vulnerability by authenticatin

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe74 versions+73

🔴Vulnerability Details

2
GHSA
GHSA-587f-4vmq-c6m5: A vulnerability in one of the diagnostic test CLI commands of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary2022-05-24
CVEList
Cisco IOS XE Software Local Privilege Escalation Vulnerability2021-03-24

📋Vendor Advisories

3
CISA
Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability2021-11-03
CISA
Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability2021-11-03
Cisco
Cisco IOS XE Software Local Privilege Escalation Vulnerability2021-03-24
CVE-2021-1390 — Write-what-where Condition in Cisco | cvebase