CVE-2024-20295 — OS Command Injection in Cisco Unified Computing System

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 36.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Unified Computing System Cisco Unified Computing System E-series Software

Timeline

PublishedApr 24

Description

A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A suc…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5cisco/cisco_unified_computing_system163 versions+162

▶CVEListV5cisco/cisco_unified_computing_system_e-series_softwareN/A

🔴Vulnerability Details

GHSA

GHSA-384c-8455-8xjm: A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injecti↗2024-04-24

▶

CVEList

CVE-2024-20295: A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injecti↗2024-04-24

▶

📋Vendor Advisories

Cisco

Cisco Integrated Management Controller CLI Command Injection Vulnerability↗2024-04-17

▶