CVE-2018-0324

{"id": "CVE-2018-0324", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2018-05-17T03:29:00.763", "references": [{"url": "http://www.securityfocus.com/bid/104208", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis-cli-command-injection", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, high-privileged, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command parameters in the CLI parser. An attacker could exploit this vulnerability by invoking a vulnerable CLI command with crafted malicious parameters. An exploit could allow the attacker to execute arbitrary commands with a non-root user account on the underlying Linux operating system of the affected device. Cisco Bug IDs: CSCvi09723."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de l\u00ednea de comandos de Cisco Enterprise NFV Infrastructure Software podr\u00eda permitir que un atacante local autenticado con altos privilegios realice un ataque de inyecci\u00f3n de comandos. La vulnerabilidad se debe a una validaci\u00f3n de entrada insuficiente de algunos par\u00e1metros de comandos en el analizador sint\u00e1ctico de la interfaz de l\u00ednea de comandos. Un atacante podr\u00eda explotar esta vulnerabilidad invocando un comando espec\u00edfico de la interfaz de l\u00ednea de comandos con par\u00e1metros maliciosos manipulados. Su explotaci\u00f3n con \u00e9xito podr\u00eda permitir que el atacante ejecute comandos arbitrarios con una cuenta de usuario no root al sistema operativo Linux subyacente en el dispositivo afectado. Cisco Bug IDs: CSCvi09723."}], "lastModified": "2020-09-04T18:34:58.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:network_functions_virtualization_infrastructure:3.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0973CD91-EAA5-4D6B-B93F-3FDB3ACD1FA7"}, {"criteria": "cpe:2.3:a:cisco:network_functions_virtualization_infrastructure:3.6.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC22342E-9624-49B4-B982-557858C34680"}, {"criteria": "cpe:2.3:a:cisco:network_functions_virtualization_infrastructure:3.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C4BBC296-B394-4B88-B0D3-080FD00FA180"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}