Command Injection Vulnerability in Cisco NX-OS System Software
CVE-2017-12330

6.3MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Nexus Series Switches
Vendor
CVE Published:
30 November 2017

Summary

A vulnerability in the command-line interface (CLI) of Cisco NX-OS System Software allows authenticated local attackers to execute arbitrary commands through command injection. This occurs due to insufficient input validation of command arguments parsed by the CLI. An attacker can exploit this vulnerability by injecting crafted arguments into CLI commands, potentially gaining unauthorized access to the operating system of the device. In products supporting multiple virtual device contexts, there’s a risk of executing commands within other contexts, leading to further security concerns. The affected products include a range of Cisco Nexus switches and Line Cards, necessitating immediate attention to ensure system integrity.

Affected Version(s)

Cisco Nexus Series Switches Cisco Nexus Series Switches

References

http://www.securityfocus.com/bid/102012
vdb-entryx_refsource_BID
https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1039929
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.