| Vulnerability Name: | CVE-2019-1756 (CCN-158771) | ||||||||||||
| Assigned: | 2018-12-06 | ||||||||||||
| Published: | 2019-03-27 | ||||||||||||
| Updated: | 2019-10-09 | ||||||||||||
| Summary: | A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system. | ||||||||||||
| CVSS v3 Severity: | 7.2 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) 6.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
6.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
| ||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-1756 Source: BID Type: Third Party Advisory, VDB Entry 107598 Source: XF Type: UNKNOWN cisco-cve20191756-cmd-exec(158771) Source: CCN Type: Cisco Security Advisory cisco-sa-20190327-iosxe-cmdinject Cisco IOS XE Software Command Injection Vulnerability Source: CISCO Type: Patch, Vendor Advisory 20190327 Cisco IOS XE Software Command Injection Vulnerability | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||