CVE-2012-0384

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 12.2 through 12.4 Cisco IOS versions 15.0 through 15.2 Cisco IOS XE versions 2.1.x through 2.6.x Cisco IOS XE versions 3.1.xS before 3.1.2S Cisco IOS XE versions 3.2.xS through 3.4.xS before 3.4.2S Cisco IOS XE versions 3.5.xS before 3.5.1S Cisco IOS XE versions 3.1.xSG and 3.2.xSG before 3.2.2SG

Description The issue allows remote authenticated users to bypass intended access restrictions and execute commands via an HTTP or HTTPS session when AAA authorization is enabled. This vulnerability may allow a remote application or device to exceed its authorization level. The HTTP or HTTPS server must be enabled on the Cisco IOS device for the vulnerability to be exploited.

Recommendations For Cisco IOS versions 12.2 through 12.4, update to a version that includes the fix for this issue. For Cisco IOS versions 15.0 through 15.2, update to a version that includes the fix for this issue. For Cisco IOS XE versions 2.1.x through 2.6.x, update to a version that includes the fix for this issue. For Cisco IOS XE versions 3.1.xS before 3.1.2S, update to version 3.1.2S or later. For Cisco IOS XE versions 3.2.xS through 3.4.xS before 3.4.2S, update to version 3.4.2S or later. For Cisco IOS XE versions 3.5.xS before 3.5.1S, update to version 3.5.1S or later. For Cisco IOS XE versions 3.1.xSG and 3.2.xSG before 3.2.2SG, update to version 3.2.2SG or later. As a temporary workaround, consider disabling the HTTP server to minimize the risk of exploitation.