CVE-2024-20277

A vulnerability in the web-based management interface of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the affected device. A successful exploit could allow the attacker to execute arbitrary commands and elevate privileges to root.
Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:thousandeyes_enterprise_agent:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:52

Type Values Removed Values Added
References () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thouseyes-privesc-DmzHG3Qv - Issue Tracking, Vendor Advisory () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thouseyes-privesc-DmzHG3Qv - Issue Tracking, Vendor Advisory
CVSS v2 : unknown
v3 : 8.0
v2 : unknown
v3 : 6.8

29 Jan 2024, 17:32

Type Values Removed Values Added
First Time Cisco
Cisco thousandeyes Enterprise Agent
CWE NVD-CWE-noinfo
References () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thouseyes-privesc-DmzHG3Qv - () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thouseyes-privesc-DmzHG3Qv - Issue Tracking, Vendor Advisory
CPE cpe:2.3:a:cisco:thousandeyes_enterprise_agent:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.0

17 Jan 2024, 17:35

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-17 17:15

Updated : 2024-11-21 08:52


NVD link : CVE-2024-20277

Mitre link : CVE-2024-20277

CVE.ORG link : CVE-2024-20277


JSON object : View

Products Affected

cisco

  • thousandeyes_enterprise_agent
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

NVD-CWE-noinfo