CVE-2022-20676Execution with Unnecessary Privileges in Cisco IOS XE Software

CWE-250Execution with Unnecessary PrivilegesCWE-20Improper Input Validation4 documents4 sources
Severity
6.7MEDIUMNVD
CNA5.1
EPSS
0.1%
top 81.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedApr 15
Latest updateApr 16

Description

A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco IOS XE Software could allow an authenticated, local attacker to escalate from privilege level 15 to root-level privileges. This vulnerability is due to insufficient input validation of data that is passed into the Tcl interpreter. An attacker could exploit this vulnerability by loading malicious Tcl code on an affected device. A successful exploit could allow the attacker to execute arbitrary commands as root. By default, Tc

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe29 versions+28

🔴Vulnerability Details

2
GHSA
GHSA-mm24-m3qx-g7j8: A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco IOS XE Software could allow an authenticated, local attacker to escalate from2022-04-16
CVEList
Cisco IOS XE Software Tool Command Language Privilege Escalation Vulnerability2022-04-15

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Tool Command Language Privilege Escalation Vulnerability2022-04-13
CVE-2022-20676 — Execution with Unnecessary Privileges | cvebase