Details of VAR-202101-1036

ID

VAR-202101-1036

CVE

CVE-2021-1282

TITLE

plural Cisco Product path traversal vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2021-002786

DESCRIPTION

Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.8

sources: NVD: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // VULHUB: VHN-374336 // VULMON: CVE-2021-1282

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	gte	version:	12.5	Trust: 1.0
vendor:	cisco	model:	unified communications manager im and presence service	scope:	gte	version:	12.0	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lt	version:	12.5\(1\)su4	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lt	version:	11.5\(1\)su9	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lt	version:	12.0\(1\)su4	Trust: 1.0
vendor:	cisco	model:	unified communications manager im and presence service	scope:	lt	version:	12.5\(1\)su4	Trust: 1.0
vendor:	cisco	model:	unified communications manager im and presence service	scope:	lt	version:	11.5\(1\)su9	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	gte	version:	12.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco unified communications manager	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified communications manager im and presence service	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified communications manager	scope:	eq	version:	im presence service	Trust: 0.8

sources: JVNDB: JVNDB-2021-002786 // NVD: CVE-2021-1282

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1282
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1282
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-1282
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202101-1604
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-374336
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-1282
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-1282
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374336
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1282
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1282
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-1282
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374336 // VULMON: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // CNNVD: CNNVD-202101-1604 // NVD: CVE-2021-1282 // NVD: CVE-2021-1282

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	CWE-35	Trust: 1.0
problemtype:	Past traversal (CWE-35) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-374336 // JVNDB: JVNDB-2021-002786 // NVD: CVE-2021-1282

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1604

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202101-1604

PATCH

title:	cisco-sa-imp-trav-inj-dM687ZD6	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-imp-trav-inj-dM687ZD6	Trust: 0.8
title:	Cisco Unified Communications Manager IM & Presence Service Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139857	Trust: 0.6
title:	Cisco: Cisco Unified Communications Products Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-imp-trav-inj-dM687ZD6	Trust: 0.1

sources: VULMON: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // CNNVD: CNNVD-202101-1604

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1282	Trust: 2.6
db:	JVNDB	id:	JVNDB-2021-002786	Trust: 0.8
db:	CNNVD	id:	CNNVD-202101-1604	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.0252	Trust: 0.6
db:	VULHUB	id:	VHN-374336	Trust: 0.1
db:	VULMON	id:	CVE-2021-1282	Trust: 0.1

sources: VULHUB: VHN-374336 // VULMON: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // CNNVD: CNNVD-202101-1604 // NVD: CVE-2021-1282

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-imp-trav-inj-dm687zd6	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1282	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.0252/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-unified-communications-manager-four-vulnerabilities-34392	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/35.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/195340	Trust: 0.1

sources: VULHUB: VHN-374336 // VULMON: CVE-2021-1282 // JVNDB: JVNDB-2021-002786 // CNNVD: CNNVD-202101-1604 // NVD: CVE-2021-1282

SOURCES

db:	VULHUB	id:	VHN-374336
db:	VULMON	id:	CVE-2021-1282
db:	JVNDB	id:	JVNDB-2021-002786
db:	CNNVD	id:	CNNVD-202101-1604
db:	NVD	id:	CVE-2021-1282

LAST UPDATE DATE

2024-08-14T13:43:39.372000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374336	date:	2022-08-05T00:00:00
db:	VULMON	id:	CVE-2021-1282	date:	2021-01-28T00:00:00
db:	JVNDB	id:	JVNDB-2021-002786	date:	2021-10-01T08:56:00
db:	CNNVD	id:	CNNVD-202101-1604	date:	2022-08-10T00:00:00
db:	NVD	id:	CVE-2021-1282	date:	2023-11-07T03:27:52.047

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374336	date:	2021-01-20T00:00:00
db:	VULMON	id:	CVE-2021-1282	date:	2021-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-002786	date:	2021-10-01T00:00:00
db:	CNNVD	id:	CNNVD-202101-1604	date:	2021-01-20T00:00:00
db:	NVD	id:	CVE-2021-1282	date:	2021-01-20T20:15:16.407