CISCO-SA-IOS-INVALID-URL-DOS-NVXSZF6U

Vulnerable Products:

This vulnerability affects the following Cisco Industrial Ethernet (IE) Series Switches if they are running a vulnerable release of Cisco IOS Software and have the HTTP Server feature enabled:

IE 2000 Series IE 3010 Series IE 4000 Series IE 4010 Series IE 5000 Series

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, log in to the device and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the device, as shown in the following example:

Router# show running-config | include ip http server|secure|active ip http server ip http secure-server

Note: The presence of either command or both commands in the device configuration indicates that the web UI is enabled.

If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.

If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.Products Confirmed Not Vulnerable:

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

IOS XR Software IOS XE Software NX-OS SoftwareDetails:

This vulnerability was investigated with bug CSCwo34150 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo34150"]. It was determined that the resolution of CSCwi59625...