CVE-2019-1756: Cisco IOS XE Software Command Injection Vulnerability
First published: Thu Mar 28 2019(Updated: )
A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system.
Credit: ykramarz@cisco.com ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco IOS | =11.0\(20.3\) | |
| Cisco IOS | =16.9\(1\) | |
| Cisco IOS XE Software | =3.2.0ja | |
| Cisco IOS XE Software | =16.7.1 | |
| Cisco IOS XE Software | =16.7.1a | |
| Cisco IOS XE Software | =16.7.1b | |
| Cisco IOS XE Software | =16.7.2 | |
| Cisco IOS XE Software | =16.7.3 | |
| Cisco IOS XE Software | =16.8.1 | |
| Cisco IOS XE Software | =16.8.1a | |
| Cisco IOS XE Software | =16.8.1b | |
| Cisco IOS XE Software | =16.8.1c | |
| Cisco IOS XE Software | =16.8.1d | |
| Cisco IOS XE Software | =16.8.1e | |
| Cisco IOS XE Software | =16.8.1s | |
| Cisco IOS XE Software | =16.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-1756?
CVE-2019-1756 is rated as high severity due to the potential for remote command execution with root privileges.
How do I fix CVE-2019-1756?
To fix CVE-2019-1756, upgrade your Cisco IOS XE Software to a version that is not affected by this vulnerability.
What types of devices are affected by CVE-2019-1756?
CVE-2019-1756 affects various versions of Cisco IOS and Cisco IOS XE Software.
Can CVE-2019-1756 be exploited without authentication?
No, CVE-2019-1756 requires an authenticated attacker to exploit the vulnerability.
What impact does CVE-2019-1756 have on system security?
CVE-2019-1756 can allow an authenticated attacker to execute arbitrary commands, compromising the underlying system integrity.
- agent/references
- agent/type
- agent/title
- agent/remedy
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/author
- agent/last-modified-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/cisco
- canonical/cisco ios
- version/cisco ios/11.0\(20.3\)
- version/cisco ios/16.9\(1\)
- canonical/cisco ios xe
- version/cisco ios xe/3.2.0ja
- version/cisco ios xe/16.7.1
- version/cisco ios xe/16.7.1a
- version/cisco ios xe/16.7.1b
- version/cisco ios xe/16.7.2
- version/cisco ios xe/16.7.3
- version/cisco ios xe/16.8.1
- version/cisco ios xe/16.8.1a
- version/cisco ios xe/16.8.1b
- version/cisco ios xe/16.8.1c
- version/cisco ios xe/16.8.1d
- version/cisco ios xe/16.8.1e
- version/cisco ios xe/16.8.1s
- version/cisco ios xe/16.8.2