CVE-2024-20461

Published: Oct 16, 2024Modified: Oct 22, 2024

6.0

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Exploitability: 0.8 / Impact: 5.2

Source: NVD

Description

A vulnerability in the CLI of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, local attacker with high privileges to execute arbitrary commands as the root user. This vulnerability exists because CLI input is not properly sanitized. An attacker could exploit this vulnerability by sending malicious characters to the CLI. A successful exploit could allow the attacker to read and write to the underlying operating system as the root user.

Affected (3)

Products: Cisco: Ata 191 Firmware, Ata 192 Firmware

Cisco

2 products

Ata 191 Firmware

Ata 192 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ata 191 Firmware	Before 12.0.2

Running on/with	Platform Versions
Cisco Ata 191	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ata 191 Firmware	Before 11.2.5

Running on/with	Platform Versions
Cisco Ata 191	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ata 192 Firmware	Before 11.2.5

Running on/with	Platform Versions
Cisco Ata 192	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.