CVE-2024-20398
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
11/09/2024
Last modified:
03/10/2024
Description
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to obtain read/write file system access on the underlying operating system of an affected device.<br />
<br />
This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:cisco:ios_xr:6.5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.2:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.3:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.15:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.25:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.26:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.28:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.29:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.31:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.32:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.33:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.90:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.92:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.5.93:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xr:6.6.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page