CVE-2022-20655 — OS Command Injection in Cisco Virtual Topology System

CWE-78 — OS Command Injection5 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 39.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Carrier Packet Transport Cisco Catalyst Sd-wan Cisco Catalyst Sd-wan Manager +7 more

Timeline

PublishedNov 15

Description

A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient validation of a process argument on an affected device. An attacker could exploit this vulnerability by injecting commands during the execution of this process. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privilege l…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages10 packages

▶CVEListV5cisco/cisco_virtual_topology_systemN/A

▶CVEListV5cisco/cisco_catalyst_sd-wanN/A

▶CVEListV5cisco/cisco_ios_xr_softwareN/A

▶CVEListV5cisco/cisco_sd-wan_vedge_routerN/A

▶CVEListV5cisco/cisco_ios_xe_catalyst_sd-wanN/A

🔴Vulnerability Details

GHSA

GHSA-hm47-g5j3-8f32: A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an authenticated, local attacker to perform a command i↗2024-11-15

▶

CVEList

CVE-2022-20655: A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an authenticated, local attacker to perform a command i↗2024-11-15

▶

📋Vendor Advisories

Cisco

Multiple Cisco Products CLI Command Injection Vulnerability↗2022-01-19

▶

Cisco

ConfD CLI Command Injection Vulnerability↗2022-01-19

▶