Details of VAR-202101-1047

ID

VAR-202101-1047

CVE

CVE-2021-1264

TITLE

Cisco DNA Center In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-002604

DESCRIPTION

A vulnerability in the Command Runner tool of Cisco DNA Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient input validation by the Command Runner tool. An attacker could exploit this vulnerability by providing crafted input during command execution or via a crafted command runner API call. A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center. Cisco DNA Center is a network management and command center service of Cisco (Cisco)

Trust: 1.8

sources: NVD: CVE-2021-1264 // JVNDB: JVNDB-2021-002604 // VULHUB: VHN-374318 // VULMON: CVE-2021-1264

AFFECTED PRODUCTS

vendor:	cisco	model:	dna center	scope:	lt	version:	1.3.1.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco dna center	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-002604 // NVD: CVE-2021-1264

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1264
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1264
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-1264
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202101-1554
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374318
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-1264
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-1264
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374318
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1264
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1264
baseSeverity:	CRITICAL
baseScore:	9.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	5.8
version:	3.1
Trust: 1.0
NVD:	CVE-2021-1264
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374318 // VULMON: CVE-2021-1264 // JVNDB: JVNDB-2021-002604 // CNNVD: CNNVD-202101-1554 // NVD: CVE-2021-1264 // NVD: CVE-2021-1264

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	OS Command injection (CWE-78) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-374318 // JVNDB: JVNDB-2021-002604 // NVD: CVE-2021-1264

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1554

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202101-1554

PATCH

title:	cisco-sa-dnac-cmdinj-erumsWh9	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-cmdinj-erumsWh9	Trust: 0.8
title:	Cisco DNA Center Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139812	Trust: 0.6
title:	Cisco: Cisco DNA Center Command Runner Command Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-dnac-cmdinj-erumsWh9	Trust: 0.1
title:	-	url:	https://threatpost.com/cisco-dna-center-bug-remote-attack/163302/	Trust: 0.1
title:	-	url:	https://threatpost.com/critical-cisco-sd-wan-bugs-rce-attacks/163204/	Trust: 0.1
title:	-	url:	https://www.theregister.co.uk/2021/01/22/cisco_critical_vulnerabilities/	Trust: 0.1

sources: VULMON: CVE-2021-1264 // JVNDB: JVNDB-2021-002604 // CNNVD: CNNVD-202101-1554

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1264	Trust: 2.6
db:	JVNDB	id:	JVNDB-2021-002604	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.0243	Trust: 0.6
db:	CNNVD	id:	CNNVD-202101-1554	Trust: 0.6
db:	VULHUB	id:	VHN-374318	Trust: 0.1
db:	VULMON	id:	CVE-2021-1264	Trust: 0.1

sources: VULHUB: VHN-374318 // VULMON: CVE-2021-1264 // JVNDB: JVNDB-2021-002604 // CNNVD: CNNVD-202101-1554 // NVD: CVE-2021-1264

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dnac-cmdinj-erumswh9	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1264	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.0243/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/195300	Trust: 0.1
url:	https://threatpost.com/cisco-dna-center-bug-remote-attack/163302/	Trust: 0.1

sources: VULHUB: VHN-374318 // VULMON: CVE-2021-1264 // JVNDB: JVNDB-2021-002604 // CNNVD: CNNVD-202101-1554 // NVD: CVE-2021-1264

SOURCES

db:	VULHUB	id:	VHN-374318
db:	VULMON	id:	CVE-2021-1264
db:	JVNDB	id:	JVNDB-2021-002604
db:	CNNVD	id:	CNNVD-202101-1554
db:	NVD	id:	CVE-2021-1264

LAST UPDATE DATE

2024-08-14T13:12:10.989000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374318	date:	2021-01-27T00:00:00
db:	VULMON	id:	CVE-2021-1264	date:	2021-01-27T00:00:00
db:	JVNDB	id:	JVNDB-2021-002604	date:	2021-09-27T09:05:00
db:	CNNVD	id:	CNNVD-202101-1554	date:	2021-02-01T00:00:00
db:	NVD	id:	CVE-2021-1264	date:	2023-11-07T03:27:49.183

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374318	date:	2021-01-20T00:00:00
db:	VULMON	id:	CVE-2021-1264	date:	2021-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-002604	date:	2021-09-27T00:00:00
db:	CNNVD	id:	CNNVD-202101-1554	date:	2021-01-20T00:00:00
db:	NVD	id:	CVE-2021-1264	date:	2021-01-20T20:15:15.267