CVE-2022-20650

Published: Feb 23, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the NX-API of an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system. Note: The NX-API feature is disabled by default.

Affected (2)

Products: Cisco: Nx Os

Cisco

1 product

Nx Os

Configuration A

1 vulnerable · 55 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	Version 10.2(1.72)

Running on/with	Platform Versions
Cisco N9k C9316d Gx	All versions
Cisco N9k C9332d Gx2b	All versions
Cisco N9k C9348d Gx2a	All versions
Cisco N9k C93600cd Gx	All versions
Cisco N9k C9364d Gx2a	All versions
Cisco Nexus 3048	All versions
Cisco Nexus 31108pc V	All versions
Cisco Nexus 31108tc V	All versions
Cisco Nexus 31128pq	All versions
Cisco Nexus 3132c Z	All versions
Cisco Nexus 3132q V	All versions
Cisco Nexus 3132q X	All versions
Cisco Nexus 3132q Xl	All versions
Cisco Nexus 3164q	All versions
Cisco Nexus 3172pq	All versions
Cisco Nexus 3172pq Xl	All versions
Cisco Nexus 3172tq Xl	All versions
Cisco Nexus 3232c	All versions
Cisco Nexus 3264c E	All versions
Cisco Nexus 3264q	All versions
Cisco Nexus 3408 S	All versions
Cisco Nexus 34180yc	All versions
Cisco Nexus 3432d S	All versions
Cisco Nexus 3464c	All versions
Cisco Nexus 3524 X	All versions
Cisco Nexus 3524 Xl	All versions
Cisco Nexus 3548 X	All versions
Cisco Nexus 3548 Xl	All versions
Cisco Nexus 36180yc R	All versions
Cisco Nexus 3636c R	All versions
Cisco Nexus 92160yc X	All versions
Cisco Nexus 92300yc	All versions
Cisco Nexus 92304qc	All versions
Cisco Nexus 92348gc X	All versions
Cisco Nexus 9236c	All versions
Cisco Nexus 9272q	All versions
Cisco Nexus 93108tc Ex	All versions
Cisco Nexus 93108tc Fx	All versions
Cisco Nexus 93108tc Fx3p	All versions
Cisco Nexus 93120tx	All versions
Cisco Nexus 93180yc Ex	All versions
Cisco Nexus 93180yc Fx	All versions
Cisco Nexus 93180yc Fx3	All versions
Cisco Nexus 93216tc Fx2	All versions
Cisco Nexus 93240yc Fx2	All versions
Cisco Nexus 9332c	All versions
Cisco Nexus 93360yc Fx2	All versions
Cisco Nexus 9336c Fx2	All versions
Cisco Nexus 9336c Fx2 E	All versions
Cisco Nexus 9348gc Fxp	All versions
Cisco Nexus 9364c	All versions
Cisco Nexus 9364c Gx	All versions
Cisco Nexus 9504 Switch	All versions
Cisco Nexus 9508 Switch	All versions
Cisco Nexus 9516 Switch	All versions

Configuration B

1 vulnerable · 10 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	Version 7.3(8)n1(0.4)

Running on/with	Platform Versions
Cisco Nexus 5548p	All versions
Cisco Nexus 5548up	All versions
Cisco Nexus 5596t	All versions
Cisco Nexus 5596up	All versions
Cisco Nexus 56128p	All versions
Cisco Nexus 5672up	All versions
Cisco Nexus 5672up 16g	All versions
Cisco Nexus 6000	All versions
Cisco Nexus 6001	All versions
Cisco Nexus 6004	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.