Command Injection Vulnerability in Cisco NX-OS Software
CVE-2018-0306

7.8HIGH

Key Information:

Vendor
Cisco
Status
Cisco Nx-os Unknown
Vendor
CVE Published:
21 June 2018

Summary

A vulnerability in the CLI parser of Cisco NX-OS Software allows authenticated, local attackers to exploit insufficient input validation. By injecting malicious command arguments into a vulnerable CLI command, attackers can execute arbitrary commands with root privileges on affected devices. This vulnerability necessitates that any feature license is uploaded to the device but does not require active usage of the license. Affected products include various series of Cisco switches and fabric extenders, potentially exposing critical network infrastructure to unauthorized commands.

Affected Version(s)

Cisco NX-OS unknown Cisco NX-OS unknown

References

https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1041169
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.