CVE-2023-20076

A vulnerability in the Cisco IOx application hosting environment could allow an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system. This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying host operating system.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:h:cisco:ic3000_industrial_compute_gateway:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:cisco:iox:-:::::::*
	cpe:2.3:o:cisco:ios_xe::::::::
	cpe:2.3:o:cisco:ios_xe::::::::
	cpe:2.3:o:cisco:ios_xe:17.10.0:::::::*

Configuration 3 (hide)

AND

cpe:2.3:o:cisco:cgr1240_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:cgr1240:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:cisco:cgr1000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:cgr1000:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:cisco:ir510_wpan_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ir510_wpan:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

OR	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware::::::::
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m1:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m2:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m2a:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m3:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m4:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m4a:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m5:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m6a:::::::*
	cpe:2.3:o:cisco:829_industrial_integrated_services_router_firmware:15.9\(3\)m6b:::::::*

cpe:2.3:h:cisco:829_industrial_integrated_services_router:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

OR	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware::::::::
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m1:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m2:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m2a:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m3:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m4:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m4a:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m5:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m6a:::::::*
	cpe:2.3:o:cisco:807_industrial_integrated_services_router_firmware:15.9\(3\)m6b:::::::*

cpe:2.3:h:cisco:807_industrial_integrated_services_router:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

OR	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware::::::::
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m1:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m2:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m2a:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m3:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m4:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m4a:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m5:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m6a:::::::*
	cpe:2.3:o:cisco:809_industrial_integrated_services_router_firmware:15.9\(3\)m6b:::::::*

cpe:2.3:h:cisco:809_industrial_integrated_services_router:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-02-12 04:15

Updated : 2024-02-28 19:51

NVD link : CVE-2023-20076

Mitre link : CVE-2023-20076

CVE.ORG link : CVE-2023-20076

JSON object : View

Products Affected

cisco

ic3000_industrial_compute_gateway
cgr1240
809_industrial_integrated_services_router_firmware
829_industrial_integrated_services_router
ir510_wpan
807_industrial_integrated_services_router_firmware
ir510_wpan_firmware
829_industrial_integrated_services_router_firmware
807_industrial_integrated_services_router
cgr1240_firmware
cgr1000
ios_xe
cgr1000_firmware
iox
809_industrial_integrated_services_router

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-233

Improper Handling of Parameters

8.8 /10