CVE-2024-20326

Summary

A vulnerability in the ConfD CLI and the Cisco Crosswork Network Services Orchestrator CLI could allow an authenticated, low-privileged, local attacker to read and write arbitrary files as root on the underlying operating system.

This vulnerability is due to improper authorization enforcement when specific CLI commands are used. An attacker could exploit this vulnerability by executing an affected CLI command with crafted arguments. A successful exploit could allow the attacker to read or write arbitrary files on the underlying operating system with the privileges of the root user.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco ConfD7.3.5affected
CiscoCisco ConfD7.3.5.2affected
CiscoCisco ConfD7.3.5.1affected
CiscoCisco ConfD7.3.6affected
CiscoCisco ConfD7.4.5.3affected
CiscoCisco ConfD7.4.5.2affected
CiscoCisco ConfD7.4.6affected
CiscoCisco ConfD7.4.5.1affected
CiscoCisco ConfD7.4.8affected
CiscoCisco ConfD7.4.5affected
CiscoCisco ConfD7.4.7affected
CiscoCisco ConfD7.5.10affected
CiscoCisco ConfD7.5.4affected
CiscoCisco ConfD7.5.3.2affected
CiscoCisco ConfD7.5.3.1affected
CiscoCisco ConfD7.5.4.2affected
CiscoCisco ConfD7.5.4.1affected
CiscoCisco ConfD7.5.6.2affected
CiscoCisco ConfD7.5.5affected
CiscoCisco ConfD7.5.8affected
CiscoCisco ConfD7.5.9affected
CiscoCisco ConfD7.5.6affected
CiscoCisco ConfD7.5.4.3affected
CiscoCisco ConfD7.5.6.1affected
CiscoCisco ConfD7.5.7affected
CiscoCisco ConfD7.5.5.1affected
CiscoCisco ConfD7.5.3affected
CiscoCisco ConfD7.7affected
CiscoCisco ConfD7.6affected
CiscoCisco ConfD7.8affected
CiscoCisco ConfD7.6.12affected
CiscoCisco ConfD7.6.11affected
CiscoCisco ConfD7.6.9affected
CiscoCisco ConfD7.6.5affected
CiscoCisco ConfD7.6.1affected
CiscoCisco ConfD7.6.14.1affected
CiscoCisco ConfD7.6.8.1affected
CiscoCisco ConfD7.6.2affected
CiscoCisco ConfD7.6.4affected
CiscoCisco ConfD7.6.8affected
CiscoCisco ConfD7.6.7affected
CiscoCisco ConfD7.6.10affected
CiscoCisco ConfD7.6.3affected
CiscoCisco ConfD7.6.13affected
CiscoCisco ConfD7.6.14affected
CiscoCisco ConfD7.6.6affected
CiscoCisco ConfD7.7.7affected
CiscoCisco ConfD7.7.13affected
CiscoCisco ConfD7.7.4affected
CiscoCisco ConfD7.7.8affected
CiscoCisco ConfD7.7.9affected
CiscoCisco ConfD7.7.12affected
CiscoCisco ConfD7.7.2affected
CiscoCisco ConfD7.7.5affected
CiscoCisco ConfD7.7.5.1affected
CiscoCisco ConfD7.7.6affected
CiscoCisco ConfD7.7.10affected
CiscoCisco ConfD7.7.1affected
CiscoCisco ConfD7.7.3affected
CiscoCisco ConfD7.7.11affected
CiscoCisco ConfD7.8.8affected
CiscoCisco ConfD7.8.4affected
CiscoCisco ConfD7.8.2affected
CiscoCisco ConfD7.8.7affected
CiscoCisco ConfD7.8.9affected
CiscoCisco ConfD7.8.11affected
CiscoCisco ConfD7.8.5affected
CiscoCisco ConfD7.8.1affected
CiscoCisco ConfD7.8.3affected
CiscoCisco ConfD7.8.6affected
CiscoCisco ConfD7.8.10affected
CiscoCisco ConfD8.0.4affected
CiscoCisco ConfD8.0.8affected
CiscoCisco ConfD8.0.5affected
CiscoCisco ConfD8.0.7affected
CiscoCisco ConfD8.0.2affected
CiscoCisco ConfD8.0.1affected
CiscoCisco ConfD8.0.3affected
CiscoCisco ConfD8.0.6affected
CiscoCisco ConfD8.1affected
CiscoCisco ConfD8.0affected
CiscoCisco ConfD8.1.2affected
CiscoCisco ConfD8.1.4affected
CiscoCisco ConfD8.1.1affected
CiscoCisco ConfD8.1.3affected
CiscoCisco ConfD Basic8.0.1affected
CiscoCisco ConfD Basic8.0.6affected
CiscoCisco ConfD Basic8.0.4affected
CiscoCisco ConfD Basic8.0.2affected
CiscoCisco ConfD Basic8.0.3affected
CiscoCisco ConfD Basic8.0.5affected
CiscoCisco ConfD Basic8.0.10affected
CiscoCisco ConfD Basic8.0.11affected
CiscoCisco ConfD Basic8.0.7affected
CiscoCisco ConfD Basic8.0.8affected
CiscoCisco ConfD Basic8.0.9affected
CiscoCisco ConfD Basic7.8.3affected
CiscoCisco ConfD Basic8.0affected
CiscoCisco Network Services OrchestratorN/Aaffected

Weaknesses

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References