CVE-2020-3477: Input Validation
First published: Thu Sep 24 2020(Updated: )
A vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to access files from the flash: filesystem. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain read-only access to files that are located on the flash: filesystem that otherwise might not have been accessible.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco IOS | =16.3.11 | |
| Cisco 2610xm | ||
| Cisco 2611xm | ||
| Cisco 2612 | ||
| Cisco 2620xm | ||
| Cisco 2621xm | ||
| Cisco 2650xm | ||
| Cisco 2651xm | ||
| Cisco 2691 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-3477?
CVE-2020-3477 is a vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software that allows an authenticated, local attacker to access files from the flash: filesystem.
What is the severity of CVE-2020-3477?
The severity of CVE-2020-3477 is medium with a CVSS score of 5.5.
Which systems are affected by CVE-2020-3477?
Cisco IOS Software versions 16.3.11 and Cisco IOS XE Software are affected by CVE-2020-3477.
How can an attacker exploit CVE-2020-3477?
An attacker needs to be authenticated and have local access to the system in order to exploit CVE-2020-3477.
Is there a fix available for CVE-2020-3477?
Yes, Cisco has released software updates to address the vulnerability. Please refer to the Cisco Security Advisory for more information.