Cisco Enterprise NFV Infrastructure Software CLI Command Injection Vulnerability

cisco-sa-20180516-nfvis-cli-command-injection · Medium · Published 8 years ago · Updated 8 years ago

Data: Cisco advisories 1 day ago · Cisco CSAF 4 hours ago · NVD CVEs 7 hours ago · NVD CPEs 1 day ago · CISA KEV 1 day ago · EPSS 1 day ago

A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, high-privileged, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command parameters in the CLI parser. An attacker could exploit this vulnerability by invoking a vulnerable CLI command with crafted malicious parameters. An exploit could allow the attacker to execute arbitrary commands with a non-root user account on the underlying Linux operating system of the affected device. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis-cli-command-injection

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

CVEs	CVE-2018-0324
Cisco Bug IDs	CSCvi09723
CVSS Score	Base 4.2 Base 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X

Products with public affected evidence

Product	CVE	Affected evidence
Cisco Enterprise NFV Infrastructure Software	CVE-2018-0324	structured affected CSAF product_status