9

CVE-2022-20650

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the NX-API of an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system. Note: The NX-API feature is disabled by default.

Data is provided by the National Vulnerability Database (NVD)
CiscoNx-os Version10.2(1.72)
   CiscoN9k-c9316d-gx Version-
   CiscoN9k-c9332d-gx2b Version-
   CiscoN9k-c9348d-gx2a Version-
   CiscoN9k-c93600cd-gx Version-
   CiscoN9k-c9364d-gx2a Version-
   CiscoNexus 3048 Version-
   CiscoNexus 31108pc-v Version-
   CiscoNexus 31108tc-v Version-
   CiscoNexus 31128pq Version-
   CiscoNexus 3132c-z Version-
   CiscoNexus 3132q-v Version-
   CiscoNexus 3132q-x Version-
   CiscoNexus 3132q-xl Version-
   CiscoNexus 3164q Version-
   CiscoNexus 3172pq Version-
   CiscoNexus 3172pq-xl Version-
   CiscoNexus 3172tq-xl Version-
   CiscoNexus 3232c Version-
   CiscoNexus 3264c-e Version-
   CiscoNexus 3264q Version-
   CiscoNexus 3408-s Version-
   CiscoNexus 34180yc Version-
   CiscoNexus 3432d-s Version-
   CiscoNexus 3464c Version-
   CiscoNexus 3524-x Version-
   CiscoNexus 3524-xl Version-
   CiscoNexus 3548-x Version-
   CiscoNexus 3548-xl Version-
   CiscoNexus 36180yc-r Version-
   CiscoNexus 3636c-r Version-
   CiscoNexus 92160yc-x Version-
   CiscoNexus 92300yc Version-
   CiscoNexus 92304qc Version-
   CiscoNexus 92348gc-x Version-
   CiscoNexus 9236c Version-
   CiscoNexus 9272q Version-
   CiscoNexus 93108tc-ex Version-
   CiscoNexus 93108tc-fx Version-
   CiscoNexus 93108tc-fx3p Version-
   CiscoNexus 93120tx Version-
   CiscoNexus 93180yc-ex Version-
   CiscoNexus 93180yc-fx Version-
   CiscoNexus 93180yc-fx3 Version-
   CiscoNexus 93216tc-fx2 Version-
   CiscoNexus 93240yc-fx2 Version-
   CiscoNexus 9332c Version-
   CiscoNexus 93360yc-fx2 Version-
   CiscoNexus 9336c-fx2 Version-
   CiscoNexus 9336c-fx2-e Version-
   CiscoNexus 9348gc-fxp Version-
   CiscoNexus 9364c Version-
   CiscoNexus 9364c-gx Version-
   CiscoNexus 9504 Switch Version-
   CiscoNexus 9508 Switch Version-
   CiscoNexus 9516 Switch Version-
CiscoNx-os Version7.3(8)n1(0.4)
   CiscoNexus 5548p Version-
   CiscoNexus 5548up Version-
   CiscoNexus 5596t Version-
   CiscoNexus 5596up Version-
   CiscoNexus 56128p Version-
   CiscoNexus 5672up Version-
   CiscoNexus 5672up-16g Version-
   CiscoNexus 6000 Version-
   CiscoNexus 6001 Version-
   CiscoNexus 6004 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 7.62% 0.915
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
psirt@cisco.com 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.