Skip to main content

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVE-2019-1623

Severity Medium
Score 6.7/10

Summary

A vulnerability in the CLI configuration shell of Cisco Meeting Server could allow an authenticated, local attacker to inject arbitrary commands as the root user. The vulnerability is due to insufficient input validation during the execution of a vulnerable CLI command. An attacker with administrator-level credentials could exploit this vulnerability by injecting crafted arguments during command execution. A successful exploit could allow the attacker to perform arbitrary code execution as root on an affected product.

  • LOW
  • LOCAL
  • HIGH
  • UNCHANGED
  • NONE
  • HIGH
  • HIGH
  • HIGH

CWE-78 - OS Command Injection

The OS command injection weakness (also known as shell injection) is a vulnerability which enables an attacker to run arbitrary OS commands on a server. This is done by modifying the intended downstream OS command and injecting arbitrary commands, enabling the execution of unauthorized OS commands. This has the potential to fully compromise the application along with all of its data, and, if the compromised process does not follow the principle of least privileges, it may compromise other parts of the hosting infrastructure as well. This weakness is listed as number ten in the 'CWE Top 25 Most Dangerous Software Weaknesses'.

References

Advisory Timeline

  • Published