← Back

CVE-2024-20278

nvd nist
Published: Mar 27, 2024Modified: Aug 1, 2025

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Exploitability: 1.2 / Impact: 5.2
Source: psirt@cisco.com (Secondary)

Description

A vulnerability in the NETCONF feature of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate privileges to root on an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input over NETCONF to an affected device. A successful exploit could allow the attacker to elevate privileges from Administrator to root.

Affected (43)

Products: Cisco: Ios Xe
Cisco
1 product
Ios Xe
Configuration A
43 vulnerable
Vulnerable SoftwareAffected Versions
Cisco
Ios Xe
Version 17.10.1
Ios Xe
Version 17.10.1a
Ios Xe
Version 17.10.1b
Ios Xe
Version 17.11.1
Ios Xe
Version 17.11.1a
Ios Xe
Version 17.11.99sw
Ios Xe
Version 17.12.1
Ios Xe
Version 17.12.1a
Ios Xe
Version 17.12.1w
Ios Xe
Version 17.6.1
Ios Xe
Version 17.6.1a
Ios Xe
Version 17.6.1w
Ios Xe
Version 17.6.1x
Ios Xe
Version 17.6.1y
Ios Xe
Version 17.6.1z1
Ios Xe
Version 17.6.1z
Ios Xe
Version 17.6.2
Ios Xe
Version 17.6.3
Ios Xe
Version 17.6.3a
Ios Xe
Version 17.6.4
Ios Xe
Version 17.6.5
Ios Xe
Version 17.6.5a
Ios Xe
Version 17.6.6
Ios Xe
Version 17.6.6a
Ios Xe
Version 17.7.1
Ios Xe
Version 17.7.1a
Ios Xe
Version 17.7.1b
Ios Xe
Version 17.7.2
Ios Xe
Version 17.8.1
Ios Xe
Version 17.8.1a
Ios Xe
Version 17.9.1
Ios Xe
Version 17.9.1a
Ios Xe
Version 17.9.1w
Ios Xe
Version 17.9.1x1
Ios Xe
Version 17.9.1x
Ios Xe
Version 17.9.1y1
Ios Xe
Version 17.9.1y
Ios Xe
Version 17.9.2
Ios Xe
Version 17.9.2a
Ios Xe
Version 17.9.3
Ios Xe
Version 17.9.3a
Ios Xe
Version 17.9.4
Ios Xe
Version 17.9.4a

Related CWEs

CWE-184
Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

References (2)

Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.