CVE-2019-1755
6.5
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Summary
A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted HTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands on the affected device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Cisco | Cisco IOS XE Software | 3.6.10E | affected |
| Cisco | Cisco IOS XE Software | 16.1.1 | affected |
| Cisco | Cisco IOS XE Software | 16.1.2 | affected |
| Cisco | Cisco IOS XE Software | 16.1.3 | affected |
| Cisco | Cisco IOS XE Software | 3.2.0JA | affected |
| Cisco | Cisco IOS XE Software | 16.2.1 | affected |
| Cisco | Cisco IOS XE Software | 16.2.2 | affected |
| Cisco | Cisco IOS XE Software | 16.3.1 | affected |
| Cisco | Cisco IOS XE Software | 16.3.2 | affected |
| Cisco | Cisco IOS XE Software | 16.3.3 | affected |
| Cisco | Cisco IOS XE Software | 16.3.1a | affected |
| Cisco | Cisco IOS XE Software | 16.3.4 | affected |
| Cisco | Cisco IOS XE Software | 16.3.5 | affected |
| Cisco | Cisco IOS XE Software | 16.3.5b | affected |
| Cisco | Cisco IOS XE Software | 16.3.6 | affected |
| Cisco | Cisco IOS XE Software | 16.3.7 | affected |
| Cisco | Cisco IOS XE Software | 16.3.8 | affected |
| Cisco | Cisco IOS XE Software | 16.4.1 | affected |
| Cisco | Cisco IOS XE Software | 16.4.2 | affected |
| Cisco | Cisco IOS XE Software | 16.4.3 | affected |
| Cisco | Cisco IOS XE Software | 16.5.1 | affected |
| Cisco | Cisco IOS XE Software | 16.5.1a | affected |
| Cisco | Cisco IOS XE Software | 16.5.1b | affected |
| Cisco | Cisco IOS XE Software | 16.5.2 | affected |
| Cisco | Cisco IOS XE Software | 16.5.3 | affected |
| Cisco | Cisco IOS XE Software | 16.6.1 | affected |
| Cisco | Cisco IOS XE Software | 16.6.2 | affected |
| Cisco | Cisco IOS XE Software | 16.6.3 | affected |
| Cisco | Cisco IOS XE Software | 16.7.1 | affected |
| Cisco | Cisco IOS XE Software | 16.7.1a | affected |
| Cisco | Cisco IOS XE Software | 16.7.1b | affected |
| Cisco | Cisco IOS XE Software | 16.8.1 | affected |
| Cisco | Cisco IOS XE Software | 16.8.1a | affected |
| Cisco | Cisco IOS XE Software | 16.8.1b | affected |
| Cisco | Cisco IOS XE Software | 16.8.1s | affected |
| Cisco | Cisco IOS XE Software | 16.8.1c | affected |
| Cisco | Cisco IOS XE Software | 16.8.1d | affected |
| Cisco | Cisco IOS XE Software | 16.8.1e | affected |
Weaknesses
- CWE-20: CWE-20
ADP Enrichment
CVE Program Container
Additional References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj
- http://www.securityfocus.com/bid/107380
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj
- http://www.securityfocus.com/bid/107380
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.