CVE-2023-20035Improper Neutralization of Expression/Command Delimiters in Cisco IOS XE Software

CWE-146Improper Neutralization of Expression/Command Delimiters4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 56.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE Software
Timeline
PublishedMar 23

Description

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges. This vulnerability is due to insufficient input validation by the system CLI. An attacker with privileges to run commands could exploit this vulnerability by first authenticating to an affected device using either local terminal access or a management shell interface and then submitting crafted input to the system CLI. A successful exploi

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-mg9g-g88j-w67g: A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with elevated pr2023-03-23
CVEList
Cisco IOS XE SD-WAN Software Command Injection Vulnerability2023-03-23

📋Vendor Advisories

1
Cisco
Cisco IOS XE SD-WAN Software Command Injection Vulnerability2023-03-22
CVE-2023-20035 — Cisco IOS XE Software vulnerability | cvebase