{"containers": {"cna": {"affected": [{"product": "Cisco IOS", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-09-24T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to access files from the flash: filesystem. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain read-only access to files that are located on the flash: filesystem that otherwise might not have been accessible."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-24T17:52:48", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20200924 Cisco IOS and IOS XE Software Information Disclosure Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-disclosure-V4BmJBNF"}], "source": {"advisory": "cisco-sa-info-disclosure-V4BmJBNF", "defect": [["CSCvu10399"]], "discovery": "INTERNAL"}, "title": "Cisco IOS and IOS XE Software Information Disclosure Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2020-09-24T16:00:00", "ID": "CVE-2020-3477", "STATE": "PUBLIC", "TITLE": "Cisco IOS and IOS XE Software Information Disclosure Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco IOS", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to access files from the flash: filesystem. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain read-only access to files that are located on the flash: filesystem that otherwise might not have been accessible."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "impact": {"cvss": {"baseScore": "5.5", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20"}]}]}, "references": {"reference_data": [{"name": "20200924 Cisco IOS and IOS XE Software Information Disclosure Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-disclosure-V4BmJBNF"}]}, "source": {"advisory": "cisco-sa-info-disclosure-V4BmJBNF", "defect": [["CSCvu10399"]], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:37:54.308Z"}, "title": "CVE Program Container", "references": [{"name": "20200924 Cisco IOS and IOS XE Software Information Disclosure Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-disclosure-V4BmJBNF"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-13T17:23:19.644914Z", "id": "CVE-2020-3477", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T17:58:01.086Z"}}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2020-3477", "datePublished": "2020-09-24T17:52:48.475365Z", "dateReserved": "2019-12-12T00:00:00", "dateUpdated": "2024-11-13T17:58:01.086Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:cisco:ios:16.3.11:*:*:*:*:*:*:*", "matchCriteriaId": "AAA3919B-5067-4451-9109-3A52C380BCAA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:cisco:2610xm:-:*:*:*:*:*:*:*", "matchCriteriaId": "9E9B9F16-2D70-4109-999F-6A10D82DD68D", "vulnerable": false}, {"criteria": "cpe:2.3:h:cisco:2611xm:-:*:*:*:*:*:*:*", "matchCriteriaId": "F77581A8-F334-445E-978C-D57F5135830B", "vulnerable": false}, {"criteria": "cpe:2.3:h:cisco:2612:-:*:*:*:*:*:*:*", "matchCriteriaId": "E22D6ADA-DC1D-4916-9039-D0970727DE46", "vulnerable": false}, {"criteria": "cpe:2.3:h:cisco:2620xm:-:*:*:*:*:*:*:*", "matchCriteriaId": "0CF86B51-A53D-4B3A-89B6-BFF3D40397B6", "vulnerable": false}, {"criteria": "cpe:2.3:h:cisco:2621xm:-:*:*:*:*:*:*:*", "matchCriteriaId": "83F5E77F-E325-472B-AD80-98B2C2DBF0AB", "vulnerable": false}, {"criteria": "cpe:2.3:h:cisco:2650xm:-:*:*:*:*:*:*:*", "matchCriteriaId": "E997D0D5-5436-4E39-8032-F6EA5DA45340", "vulnerable": false}, {"criteria": "cpe:2.3:h:cisco:2651xm:-:*:*:*:*:*:*:*", "matchCriteriaId": "EF18B92D-D063-4D98-8D59-5AF02443DC4E", "vulnerable": false}, {"criteria": "cpe:2.3:h:cisco:2691:-:*:*:*:*:*:*:*", "matchCriteriaId": "5F4063DC-7653-4777-B012-C49CCDD0E0B5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to access files from the flash: filesystem. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain read-only access to files that are located on the flash: filesystem that otherwise might not have been accessible."}, {"lang": "es", "value": "Una vulnerabilidad en el analizador de la CLI de Cisco IOS Software y Cisco IOS XE Software, podr\u00eda permitir a un atacante local autenticado acceder a archivos desde la flash: filesystem. La vulnerabilidad es debido a una aplicaci\u00f3n insuficiente de restricciones durante la ejecuci\u00f3n de un comando espec\u00edfico. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el uso de un comando espec\u00edfico en la l\u00ednea de comandos. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante conseguir acceso de solo lectura a archivos que est\u00e1n ubicados en la flash: filesystem que de otro modo no podr\u00eda haber sido accesible."}], "id": "CVE-2020-3477", "lastModified": "2024-11-21T05:31:08.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "ykramarz@cisco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-24T18:15:19.917", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-disclosure-V4BmJBNF"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-disclosure-V4BmJBNF"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "ykramarz@cisco.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}