ID

VAR-202101-1009


CVE

CVE-2021-1364


TITLE

Cisco Unified Communications Manager SQL Injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202101-1523

DESCRIPTION

Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.08

sources: NVD: CVE-2021-1364 // VULHUB: VHN-374418 // VULMON: CVE-2021-1364

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:gteversion:12.5

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:gteversion:12.0

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:12.5\(1\)su4

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:11.5\(1\)su9

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:12.0\(1\)su4

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:ltversion:12.5\(1\)su4

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:ltversion:11.5\(1\)su9

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:gteversion:12.0

Trust: 1.0

sources: NVD: CVE-2021-1364

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1364
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1364
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202101-1523
value: MEDIUM

Trust: 0.6

VULHUB: VHN-374418
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-1364
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-1364
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-374418
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1364
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1364
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-374418 // VULMON: CVE-2021-1364 // CNNVD: CNNVD-202101-1523 // NVD: CVE-2021-1364 // NVD: CVE-2021-1364

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:CWE-35

Trust: 1.0

sources: VULHUB: VHN-374418 // NVD: CVE-2021-1364

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1523

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202101-1523

PATCH

title:Cisco Unified Communications Manager IM & Presence Service Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139786

Trust: 0.6

title:Cisco: Cisco Unified Communications Products Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-imp-trav-inj-dM687ZD6

Trust: 0.1

sources: VULMON: CVE-2021-1364 // CNNVD: CNNVD-202101-1523

EXTERNAL IDS

db:NVDid:CVE-2021-1364

Trust: 1.8

db:AUSCERTid:ESB-2021.0252

Trust: 0.6

db:CNNVDid:CNNVD-202101-1523

Trust: 0.6

db:VULHUBid:VHN-374418

Trust: 0.1

db:VULMONid:CVE-2021-1364

Trust: 0.1

sources: VULHUB: VHN-374418 // VULMON: CVE-2021-1364 // CNNVD: CNNVD-202101-1523 // NVD: CVE-2021-1364

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-imp-trav-inj-dm687zd6

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2021-1364

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.0252/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-communications-manager-four-vulnerabilities-34392

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/89.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-374418 // VULMON: CVE-2021-1364 // CNNVD: CNNVD-202101-1523 // NVD: CVE-2021-1364

SOURCES

db:VULHUBid:VHN-374418
db:VULMONid:CVE-2021-1364
db:CNNVDid:CNNVD-202101-1523
db:NVDid:CVE-2021-1364

LAST UPDATE DATE

2024-08-14T13:43:39.339000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374418date:2021-01-29T00:00:00
db:VULMONid:CVE-2021-1364date:2021-01-29T00:00:00
db:CNNVDid:CNNVD-202101-1523date:2021-02-02T00:00:00
db:NVDid:CVE-2021-1364date:2023-11-07T03:28:06.313

SOURCES RELEASE DATE

db:VULHUBid:VHN-374418date:2021-01-20T00:00:00
db:VULMONid:CVE-2021-1364date:2021-01-20T00:00:00
db:CNNVDid:CNNVD-202101-1523date:2021-01-20T00:00:00
db:NVDid:CVE-2021-1364date:2021-01-20T20:15:17.753