Details of VAR-202006-1078

ID

VAR-202006-1078

CVE

CVE-2020-3211

TITLE

Cisco IOS XE in software OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-006201

DESCRIPTION

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to improper input sanitization. An attacker who has valid administrative access to an affected device could exploit this vulnerability by supplying a crafted input parameter on a form in the web UI and then submitting that form. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the device, which could lead to complete system compromise. (DoS) It may be in a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

Trust: 1.71

sources: NVD: CVE-2020-3211 // JVNDB: JVNDB-2020-006201 // VULHUB: VHN-181336

AFFECTED PRODUCTS

vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1e	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1c	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1c	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1t	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1a	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco ios xe	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-006201 // NVD: CVE-2020-3211

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3211
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3211
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-3211
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202006-358
value:	HIGH
Trust: 0.6
VULHUB:	VHN-181336
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-3211
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-181336
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2020-3211
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2020-3211
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-181336 // JVNDB: JVNDB-2020-006201 // CNNVD: CNNVD-202006-358 // NVD: CVE-2020-3211 // NVD: CVE-2020-3211

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181336 // JVNDB: JVNDB-2020-006201 // NVD: CVE-2020-3211

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-358

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202006-358

PATCH

title:	cisco-sa-web-cmdinj4-S2TmH7GA	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj4-S2TmH7GA	Trust: 0.8
title:	Cisco IOS XE Fixes for operating system command injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=121144	Trust: 0.6

sources: JVNDB: JVNDB-2020-006201 // CNNVD: CNNVD-202006-358

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3211	Trust: 3.3
db:	JVN	id:	JVNVU94803886	Trust: 0.8
db:	ICS CERT	id:	ICSA-22-300-03	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-006201	Trust: 0.8
db:	CNNVD	id:	CNNVD-202006-358	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.1938	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.5426	Trust: 0.6
db:	VULHUB	id:	VHN-181336	Trust: 0.1

sources: VULHUB: VHN-181336 // JVNDB: JVNDB-2020-006201 // CNNVD: CNNVD-202006-358 // NVD: CVE-2020-3211

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-web-cmdinj4-s2tmh7ga	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3211	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94803886/index.html	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-300-03	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.1938/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-ios-xe-multiple-vulnerabilities-32421	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.5426	Trust: 0.6

sources: VULHUB: VHN-181336 // JVNDB: JVNDB-2020-006201 // CNNVD: CNNVD-202006-358 // NVD: CVE-2020-3211

SOURCES

db:	VULHUB	id:	VHN-181336
db:	JVNDB	id:	JVNDB-2020-006201
db:	CNNVD	id:	CNNVD-202006-358
db:	NVD	id:	CVE-2020-3211

LAST UPDATE DATE

2024-08-14T13:24:31.644000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181336	date:	2020-06-10T00:00:00
db:	JVNDB	id:	JVNDB-2020-006201	date:	2022-10-31T02:51:00
db:	CNNVD	id:	CNNVD-202006-358	date:	2022-10-28T00:00:00
db:	NVD	id:	CVE-2020-3211	date:	2020-06-10T15:26:58.803

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181336	date:	2020-06-03T00:00:00
db:	JVNDB	id:	JVNDB-2020-006201	date:	2020-07-03T00:00:00
db:	CNNVD	id:	CNNVD-202006-358	date:	2020-06-03T00:00:00
db:	NVD	id:	CVE-2020-3211	date:	2020-06-03T18:15:19.167