Command injection in Cisco UCS Central Software - CVE-2017-12255
Published: September 21, 2017
Vulnerability identifier: #VU8551
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12255
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco UCS Central Software
Cisco UCS Central Software
Detailed vulnerability description
The vulnerability allows a local attacker to execute arbitrary commands.
The weakness exists in the CLI of Cisco UCS Central Software due to insufficient input validation of commands entered in the CLI. A local attacker can supply specially crafted arguments to enter and execute a specific command and gain shell access to the system.
The weakness exists in the CLI of Cisco UCS Central Software due to insufficient input validation of commands entered in the CLI. A local attacker can supply specially crafted arguments to enter and execute a specific command and gain shell access to the system.
How to mitigate CVE-2017-12255
Update to version 2.0(1b).