7.8

CVE-2020-3167

A vulnerability in the CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS). The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted arguments to specific commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges.

Data is provided by the National Vulnerability Database (NVD)
CiscoFirepower Threat Defense Version >= 6.2.2 < 6.2.3.13
   CiscoFirepower 1010 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
CiscoFirepower Threat Defense Version >= 6.3.0 < 6.4.0.8
   CiscoFirepower 1010 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
CiscoFirepower Threat Defense Version >= 6.5.0 < 6.5.0.2
   CiscoFirepower 1010 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
CiscoAdaptive Security Appliance Software Version >= 9.8 < 9.9.2.66
   CiscoFirepower 1010 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
CiscoAdaptive Security Appliance Software Version >= 9.10 < 9.12.3.6
   CiscoFirepower 1010 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
CiscoAdaptive Security Appliance Software Version >= 9.13 < 9.13.1.5
   CiscoFirepower 1010 Version-
   CiscoFirepower 1120 Version-
   CiscoFirepower 1140 Version-
   CiscoFirepower 1150 Version-
   CiscoFirepower 2110 Version-
   CiscoFirepower 2120 Version-
   CiscoFirepower 2130 Version-
   CiscoFirepower 2140 Version-
CiscoFirepower Extensible Operating System Version < 2.4.1.234
   CiscoFirepower 4110 Version-
   CiscoFirepower 4115 Version-
   CiscoFirepower 4120 Version-
   CiscoFirepower 4125 Version-
   CiscoFirepower 4140 Version-
   CiscoFirepower 4145 Version-
   CiscoFirepower 4150 Version-
   CiscoFirepower 9300 Version-
CiscoUcs Manager Version < 3.2\(3n\)
   CiscoUcs 6248up Version-
   CiscoUcs 6296up Version-
   CiscoUcs 6324 Version-
   CiscoUcs 6332 Version-
   CiscoUcs 6332-16up Version-
   CiscoUcs 64108 Version-
   CiscoUcs 6454 Version-
CiscoUcs Manager Version >= 4.0 < 4.0\(4g\)
   CiscoUcs 6248up Version-
   CiscoUcs 6296up Version-
   CiscoUcs 6324 Version-
   CiscoUcs 6332 Version-
   CiscoUcs 6332-16up Version-
   CiscoUcs 64108 Version-
   CiscoUcs 6454 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.25% 0.483
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.2 3.9 10
AV:L/AC:L/Au:N/C:C/I:C/A:C
psirt@cisco.com 7.8 1.8 5.9
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.