ID

VAR-202101-1036


CVE

CVE-2021-1282


TITLE

plural  Cisco  Product path traversal vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2021-002786

DESCRIPTION

Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.8

sources: NVD: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // VULHUB: VHN-374336 // VULMON: CVE-2021-1282

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:gteversion:12.5

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:gteversion:12.0

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:12.5\(1\)su4

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:11.5\(1\)su9

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:12.0\(1\)su4

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:ltversion:12.5\(1\)su4

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:ltversion:11.5\(1\)su9

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:gteversion:12.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco unified communications managerscope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified communications manager im and presence servicescope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified communications managerscope:eqversion:im presence service

Trust: 0.8

sources: JVNDB: JVNDB-2021-002786 // NVD: CVE-2021-1282

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1282
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1282
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-1282
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202101-1604
value: MEDIUM

Trust: 0.6

VULHUB: VHN-374336
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-1282
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-1282
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-374336
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1282
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1282
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-1282
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-374336 // VULMON: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // CNNVD: CNNVD-202101-1604 // NVD: CVE-2021-1282 // NVD: CVE-2021-1282

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:CWE-35

Trust: 1.0

problemtype:Past traversal (CWE-35) [ Other ]

Trust: 0.8

sources: VULHUB: VHN-374336 // JVNDB: JVNDB-2021-002786 // NVD: CVE-2021-1282

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1604

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202101-1604

PATCH

title:cisco-sa-imp-trav-inj-dM687ZD6url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-imp-trav-inj-dM687ZD6

Trust: 0.8

title:Cisco Unified Communications Manager IM & Presence Service Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139857

Trust: 0.6

title:Cisco: Cisco Unified Communications Products Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-imp-trav-inj-dM687ZD6

Trust: 0.1

sources: VULMON: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // CNNVD: CNNVD-202101-1604

EXTERNAL IDS

db:NVDid:CVE-2021-1282

Trust: 2.6

db:JVNDBid:JVNDB-2021-002786

Trust: 0.8

db:CNNVDid:CNNVD-202101-1604

Trust: 0.7

db:AUSCERTid:ESB-2021.0252

Trust: 0.6

db:VULHUBid:VHN-374336

Trust: 0.1

db:VULMONid:CVE-2021-1282

Trust: 0.1

sources: VULHUB: VHN-374336 // VULMON: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // CNNVD: CNNVD-202101-1604 // NVD: CVE-2021-1282

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-imp-trav-inj-dm687zd6

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-1282

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.0252/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-communications-manager-four-vulnerabilities-34392

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/35.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/195340

Trust: 0.1

sources: VULHUB: VHN-374336 // VULMON: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // CNNVD: CNNVD-202101-1604 // NVD: CVE-2021-1282

SOURCES

db:VULHUBid:VHN-374336
db:VULMONid:CVE-2021-1282
db:JVNDBid:JVNDB-2021-002786
db:CNNVDid:CNNVD-202101-1604
db:NVDid:CVE-2021-1282

LAST UPDATE DATE

2024-08-14T13:43:39.372000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374336date:2022-08-05T00:00:00
db:VULMONid:CVE-2021-1282date:2021-01-28T00:00:00
db:JVNDBid:JVNDB-2021-002786date:2021-10-01T08:56:00
db:CNNVDid:CNNVD-202101-1604date:2022-08-10T00:00:00
db:NVDid:CVE-2021-1282date:2023-11-07T03:27:52.047

SOURCES RELEASE DATE

db:VULHUBid:VHN-374336date:2021-01-20T00:00:00
db:VULMONid:CVE-2021-1282date:2021-01-20T00:00:00
db:JVNDBid:JVNDB-2021-002786date:2021-10-01T00:00:00
db:CNNVDid:CNNVD-202101-1604date:2021-01-20T00:00:00
db:NVDid:CVE-2021-1282date:2021-01-20T20:15:16.407