CVE-2017-6794

EPSS 0.22%
Veröffentlicht 07.09.2017 21:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle psirt@cisco.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the CLI command-parsing code of Cisco Meeting Server could allow an authenticated, local attacker to perform command injection and escalate their privileges to root. The attacker must first authenticate to the application with valid administrator credentials. The vulnerability is due to insufficient validation of user-supplied input at the CLI for certain commands. An attacker could exploit this vulnerability by authenticating to the affected application and submitting a crafted CLI command for execution at the Cisco Meeting Server CLI. An exploit could allow the attacker to perform command injection and escalate their privilege level to root. Vulnerable Products: This vulnerability exists in Cisco Meeting Server software versions prior to and including 2.0, 2.1, and 2.2. Cisco Bug IDs: CSCvf53830.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Meeting Server Version2.0.0

Cisco ≫ Meeting Server Version2.0.1

Cisco ≫ Meeting Server Version2.0.2

Cisco ≫ Meeting Server Version2.0.3

Cisco ≫ Meeting Server Version2.0.4

Cisco ≫ Meeting Server Version2.0.5

Cisco ≫ Meeting Server Version2.0.6

Cisco ≫ Meeting Server Version2.0.7

Cisco ≫ Meeting Server Version2.0.8

Cisco ≫ Meeting Server Version2.0.9

Cisco ≫ Meeting Server Version2.0.10

Cisco ≫ Meeting Server Version2.0.11

Cisco ≫ Meeting Server Version2.0.12

Cisco ≫ Meeting Server Version2.0.13

Cisco ≫ Meeting Server Version2.0.14

Cisco ≫ Meeting Server Version2.0.15

Cisco ≫ Meeting Server Version2.0.16

Cisco ≫ Meeting Server Version2.1.0

Cisco ≫ Meeting Server Version2.1.1

Cisco ≫ Meeting Server Version2.1.2

Cisco ≫ Meeting Server Version2.1.3

Cisco ≫ Meeting Server Version2.1.4

Cisco ≫ Meeting Server Version2.1.5

Cisco ≫ Meeting Server Version2.1.6

Cisco ≫ Meeting Server Version2.1.7

Cisco ≫ Meeting Server Version2.1.8

Cisco ≫ Meeting Server Version2.1.9

Cisco ≫ Meeting Server Version2.1.10

Cisco ≫ Meeting Server Version2.1.11

Cisco ≫ Meeting Server Version2.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.449

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://www.securityfocus.com/bid/100464

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1039245

Third Party Advisory

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170823-cms

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-6794

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-6794

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-6794

EUVD