CVE-2022-20677 - Vulnerability Details

Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.0016.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco IOS

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:cisco:ios:17.6.1:*:*:*:*:*:*:*

OR	cpe:2.3:h:cisco:1100-4g_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100-6g_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1101_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1109_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1111x_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:111x_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1120_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1131_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1160_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4221_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:8101-32fh:-:::::::*
	cpe:2.3:h:cisco:8101-32h:-:::::::*
	cpe:2.3:h:cisco:8102-64h:-:::::::*
	cpe:2.3:h:cisco:8201:-:::::::*
	cpe:2.3:h:cisco:8201-32fh:-:::::::*
	cpe:2.3:h:cisco:8202:-:::::::*
	cpe:2.3:h:cisco:8800:-:::::::*
	cpe:2.3:h:cisco:asr_1001-x:-:::::::*
	cpe:2.3:h:cisco:asr_1002-hx:-:::::::*
	cpe:2.3:h:cisco:asr_1006-x:-:::::::*
	cpe:2.3:h:cisco:asr_1009-x:-:::::::*
	cpe:2.3:h:cisco:asr_900:-:::::::*
	cpe:2.3:h:cisco:asr_9000v-v2:-:::::::*
	cpe:2.3:h:cisco:asr_9001:-:::::::*
	cpe:2.3:h:cisco:asr_9006:-:::::::*
	cpe:2.3:h:cisco:asr_9010:-:::::::*
	cpe:2.3:h:cisco:asr_9901:-:::::::*
	cpe:2.3:h:cisco:asr_9902:-:::::::*
	cpe:2.3:h:cisco:asr_9903:-:::::::*
	cpe:2.3:h:cisco:asr_9904:-:::::::*
	cpe:2.3:h:cisco:asr_9906:-:::::::*
	cpe:2.3:h:cisco:asr_9910:-:::::::*
	cpe:2.3:h:cisco:asr_9912:-:::::::*
	cpe:2.3:h:cisco:asr_9922:-:::::::*
	cpe:2.3:h:cisco:catalyst_3650:-:::::::*
	cpe:2.3:h:cisco:catalyst_3850:-:::::::*
	cpe:2.3:h:cisco:catalyst_8200:-:::::::*
	cpe:2.3:h:cisco:catalyst_8300:-:::::::*
	cpe:2.3:h:cisco:catalyst_8500:-:::::::*
	cpe:2.3:h:cisco:catalyst_8500l:-:::::::*
	cpe:2.3:h:cisco:catalyst_9200:-:::::::*
	cpe:2.3:h:cisco:catalyst_9300:-:::::::*
	cpe:2.3:h:cisco:catalyst_9400:-:::::::*
	cpe:2.3:h:cisco:catalyst_9500:-:::::::*
	cpe:2.3:h:cisco:catalyst_9500h:-:::::::*
	cpe:2.3:h:cisco:catalyst_9600:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-40:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-80:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-cl:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-l:-:::::::*
	cpe:2.3:h:cisco:catalyst_cg418-e:-:::::::*
	cpe:2.3:h:cisco:catalyst_cg522-e:-:::::::*
	cpe:2.3:h:cisco:catalyst_ess9300:-:::::::*
	cpe:2.3:h:cisco:catalyst_ie3200:-:::::::*
	cpe:2.3:h:cisco:catalyst_ie3300:-:::::::*
	cpe:2.3:h:cisco:catalyst_ie3400:-:::::::*
	cpe:2.3:h:cisco:catalyst_ie9300:-:::::::*
	cpe:2.3:h:cisco:cloud_services_router_1000v:-:::::::*
	cpe:2.3:h:cisco:esr3300:-:::::::*
	cpe:2.3:h:cisco:esr6300:-:::::::*

No data.

Project Subscriptions

Vendors	Products
Cisco Subscribe	1100-4g Integrated Services Router Subscribe 1100-6g Integrated Services Router Subscribe 1101 Integrated Services Router Subscribe 1109 Integrated Services Router Subscribe 1111x Integrated Services Router Subscribe 111x Integrated Services Router Subscribe 1120 Integrated Services Router Subscribe 1131 Integrated Services Router Subscribe 1160 Integrated Services Router Subscribe 4221 Integrated Services Router Subscribe 8101-32fh Subscribe 8101-32h Subscribe 8102-64h Subscribe 8201 Subscribe 8201-32fh Subscribe 8202 Subscribe 8800 Subscribe Asr 1001-x Subscribe Asr 1002-hx Subscribe Asr 1006-x Subscribe Asr 1009-x Subscribe Asr 900 Subscribe Asr 9000v-v2 Subscribe Asr 9001 Subscribe Asr 9006 Subscribe Asr 9010 Subscribe Asr 9901 Subscribe Asr 9902 Subscribe Asr 9903 Subscribe Asr 9904 Subscribe Asr 9906 Subscribe Asr 9910 Subscribe Asr 9912 Subscribe Asr 9922 Subscribe Catalyst 3650 Subscribe Catalyst 3850 Subscribe Catalyst 8200 Subscribe Catalyst 8300 Subscribe Catalyst 8500 Subscribe Catalyst 8500l Subscribe Catalyst 9200 Subscribe Catalyst 9300 Subscribe Catalyst 9400 Subscribe Catalyst 9500 Subscribe Catalyst 9500h Subscribe Catalyst 9600 Subscribe Catalyst 9800 Subscribe Catalyst 9800-40 Subscribe Catalyst 9800-80 Subscribe Catalyst 9800-cl Subscribe Catalyst 9800-l Subscribe Catalyst Cg418-e Subscribe Catalyst Cg522-e Subscribe Catalyst Ess9300 Subscribe Catalyst Ie3200 Subscribe Catalyst Ie3300 Subscribe Catalyst Ie3400 Subscribe Catalyst Ie9300 Subscribe Cloud Services Router 1000v Subscribe Esr3300 Subscribe Esr6300 Subscribe Ios Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2022-25927	Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj

History

Wed, 06 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2022-04-15T14:16:46.734986Z

Updated: 2024-11-06T16:25:32.069Z

Reserved: 2021-11-02T00:00:00

Link: CVE-2022-20677

Vulnrichment

Updated: 2024-08-03T02:17:52.949Z

NVD

Status : Modified

Published: 2022-04-15T15:15:12.413

Modified: 2024-11-21T06:43:17.923

Link: CVE-2022-20677

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object