CVE-2024-20306Improper Handling of Parameters in Cisco IOS XE Software

CWE-233Improper Handling of Parameters4 documents4 sources
Severity
6.7MEDIUMNVD
CNA6.0
EPSS
0.0%
top 93.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 27

Description

A vulnerability in the Unified Threat Defense (UTD) configuration CLI of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying host operating system. To exploit this vulnerability, an attacker must have level 15 privileges on the affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting a crafted CLI command to an affected device. A successful exploit

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_software9 versions+8
NVDcisco/ios_xe9 versions+8

🔴Vulnerability Details

2
CVEList
CVE-2024-20306: A vulnerability in the Unified Threat Defense (UTD) configuration CLI of Cisco IOS XE Software could allow an authenticated, local attacker to execute2024-03-27
GHSA
GHSA-hqrq-qhrv-9wxq: A vulnerability in the Unified Threat Defense (UTD) configuration CLI of Cisco IOS XE Software could allow an authenticated, local attacker to execute2024-03-27

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Unified Threat Defense Command Injection Vulnerability2024-03-27
CVE-2024-20306 — Improper Handling of Parameters | cvebase