8.8
CVE-2023-20076
- EPSS 0.55%
- Veröffentlicht 12.02.2023 04:15:19
- Zuletzt bearbeitet 21.11.2024 07:40:29
- Quelle psirt@cisco.com
- Teams Watchlist Login
- Unerledigt Login
A vulnerability in the Cisco IOx application hosting environment could allow an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system. This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying host operating system.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cisco ≫ Ic3000 Industrial Compute Gateway Version < 1.4.2
Cisco ≫ Cgr1240 Firmware Version < 1.16.0.1
Cisco ≫ Cgr1000 Firmware Version < 1.16.0.1
Cisco ≫ Ir510 Wpan Firmware Version < 1.10.0.1
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version < 15.9\(3\)
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m1
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m2
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m2a
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m3
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m4
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m4a
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m5
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m6a
Cisco ≫ 829 Industrial Integrated Services Router Firmware Version15.9(3)m6b
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version < 15.9\(3\)
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m1
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m2
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m2a
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m3
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m4
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m4a
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m5
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m6a
Cisco ≫ 807 Industrial Integrated Services Router Firmware Version15.9(3)m6b
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version < 15.9\(3\)
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m1
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m2
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m2a
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m3
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m4
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m4a
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m5
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m6a
Cisco ≫ 809 Industrial Integrated Services Router Firmware Version15.9(3)m6b
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.55% | 0.67 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| psirt@cisco.com | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-233 Improper Handling of Parameters
The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.