8.2

CVE-2017-6707

A vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series 11.0 through 21.0, 5500 Series, and 5700 Series devices and Cisco Virtualized Packet Core (VPC) Software could allow an authenticated, local attacker to break from the StarOS CLI of an affected system and execute arbitrary shell commands as a Linux root user on the system, aka Command Injection. The vulnerability exists because the affected operating system does not sufficiently sanitize commands before inserting them into Linux shell commands. An attacker could exploit this vulnerability by submitting a crafted CLI command for execution in a Linux shell command as a root user. Cisco Bug IDs: CSCvc69329, CSCvc72930.

Data is provided by the National Vulnerability Database (NVD)
CiscoStaros Version11.0_base
CiscoStaros Version12.0.0
CiscoStaros Version12.1_base
CiscoStaros Version12.2_base
CiscoStaros Version14.0.0
CiscoStaros Version15.0_base
CiscoStaros Version16.0.0
CiscoStaros Version16.1.0
CiscoStaros Version16.1.1
CiscoStaros Version16.1.2
CiscoStaros Version16.5.0
CiscoStaros Version16.5.2
CiscoStaros Version17.2.0
CiscoStaros Version17.2.0.59184
CiscoStaros Version17.3.0
CiscoStaros Version17.3.1
CiscoStaros Version17.3_base
CiscoStaros Version17.7.0
CiscoStaros Version18.0.0
CiscoStaros Version18.0.0.57828
CiscoStaros Version18.0.0.59167
CiscoStaros Version18.0.0.59211
CiscoStaros Version18.0.l0.59219
CiscoStaros Version18.1.0
CiscoStaros Version18.1.0.59776
CiscoStaros Version18.1.0.59780
CiscoStaros Version18.1_base
CiscoStaros Version18.3.0
CiscoStaros Version18.3_base
CiscoStaros Version18.4.0
CiscoStaros Version19.0.1
CiscoStaros Version19.0.m0.60737
CiscoStaros Version19.0.m0.60828
CiscoStaros Version19.0.m0.61045
CiscoStaros Version19.1.0
CiscoStaros Version19.1.0.61559
CiscoStaros Version19.2.0
CiscoStaros Version19.3.0
CiscoStaros Version20.0.0
CiscoStaros Version20.0.1.0
CiscoStaros Version20.0.1.a0
CiscoStaros Version20.0.1.v0
CiscoStaros Version20.0.2.3
CiscoStaros Version20.0.2.3.65026
CiscoStaros Version20.0.2.v1
CiscoStaros Version20.0.m0.62842
CiscoStaros Version20.0.m0.63229
CiscoStaros Version20.0.v0
CiscoStaros Version21.0.0
CiscoStaros Version21.0_base
CiscoStaros Version21.0_m0.64246
CiscoStaros Version21.0_m0.64702
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.24% 0.468
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.2 1.5 6
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov 7.2 3.9 10
AV:L/AC:L/Au:N/C:C/I:C/A:C
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://www.securitytracker.com/id/1038818
Third Party Advisory
VDB Entry