CVE-2024-20278Incomplete List of Disallowed Inputs in Cisco IOS XE Software

CWE-184Incomplete List of Disallowed Inputs4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 67.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 27

Description

A vulnerability in the NETCONF feature of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate privileges to root on an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input over NETCONF to an affected device. A successful exploit could allow the attacker to elevate privileges from Administrator to root.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_software43 versions+42
NVDcisco/ios_xe43 versions+42

🔴Vulnerability Details

2
CVEList
CVE-2024-20278: A vulnerability in the NETCONF feature of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate privileges to root on an affe2024-03-27
GHSA
GHSA-w3pw-jcpx-2qcc: A vulnerability in the NETCONF feature of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate privileges to root on an affe2024-03-27

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Privilege Escalation Vulnerability2024-03-27
CVE-2024-20278 — Incomplete List of Disallowed Inputs | cvebase