8.8
CVE-2022-20655
- EPSS 0.54%
- Published 15.11.2024 16:15:20
- Last modified 18.11.2024 17:11:56
- Source psirt@cisco.com
- Teams watchlist Login
- Open Login
A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient validation of a process argument on an affected device. An attacker could exploit this vulnerability by injecting commands during the execution of this process. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privilege level of ConfD, which is commonly root.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
Vendorcisco
≫
Product
ios_xr_software
Default Statusunknown
Version <
7.0.2
Version
0
Status
affected
Version <
7.1.1
Version
7.1.0
Status
affected
Vendorcisco
≫
Product
virtual_topology_system
Default Statusunknown
Version <
2.6.5
Version
0
Status
affected
Vendorcisco
≫
Product
network_services_orchestrator
Default Statusunknown
Version <
4.3.9.1
Version
0
Status
affected
Version <
4.4.5.6
Version
4.4.0.0
Status
affected
Version <
4.5.7
Version
4.5.0
Status
affected
Version <
4.6.1.7
Version
4.6.0
Status
affected
Version <
4.7.1
Version
4.7.0
Status
affected
Version <
5.1.0.1
Version
5.1.0
Status
affected
Vendorcisco
≫
Product
enterprise_nfv_infrastructure_software
Default Statusunknown
Version <
3.12.1
Version
0
Status
affected
Vendorcisco
≫
Product
catalyst_sd-wan_manager
Default Statusunknown
Version <
18.4.4
Version
0
Status
affected
Version <
19.2.1
Version
19.2.0
Status
affected
Vendorcisco
≫
Product
ios_xe_catalyst_sd-wan
Default Statusunknown
Version <
16.10.2
Version
0
Status
affected
Version <
16.12.1b
Version
16.12.0
Status
affected
Version <
17.2.1r
Version
17.2.0
Status
affected
Vendorcisco
≫
Product
sd-wan_vedge_router
Default Statusunknown
Version <
18.4.4
Version
0
Status
affected
Version <
19.2.1
Version
19.2.0
Status
affected
Vendorcisco
≫
Product
carrier_packet_transport
Default Statusunknown
Version <
*
Version
0
Status
affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.54% | 0.666 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| psirt@cisco.com | 8.8 | 2 | 6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.