Details of VAR-202101-1053

ID

VAR-202101-1053

CVE

CVE-2021-1272

TITLE

Cisco Data Center Network Manager Server-side Request Forgery Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-002609

DESCRIPTION

A vulnerability in the session validation feature of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. This vulnerability is due to insufficient validation of parameters in a specific HTTP request by an attacker. An attacker could exploit this vulnerability by sending a crafted HTTP request to an authenticated user of the DCNM web application. A successful exploit could allow the attacker to bypass access controls and gain unauthorized access to the Device Manager application, which provides access to network devices managed by the system. Cisco Data Center Network Manager (DCNM) is a data center management system of Cisco (Cisco). The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

Trust: 1.8

sources: NVD: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // VULHUB: VHN-374326 // VULMON: CVE-2021-1272

AFFECTED PRODUCTS

vendor:	cisco	model:	data center network manager	scope:	lt	version:	11.5\(1\)	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco data center network manager	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-002609 // NVD: CVE-2021-1272

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1272
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1272
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-1272
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202101-1549
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374326
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-1272
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-1272
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374326
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1272
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2021-1272
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374326 // VULMON: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // CNNVD: CNNVD-202101-1549 // NVD: CVE-2021-1272 // NVD: CVE-2021-1272

PROBLEMTYPE DATA

problemtype:	CWE-918	Trust: 1.1
problemtype:	Server-side request forgery (CWE-918) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-374326 // JVNDB: JVNDB-2021-002609 // NVD: CVE-2021-1272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1549

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202101-1549

PATCH

title:	cisco-sa-dcnm-ssrf-F2vX6q5p	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-ssrf-F2vX6q5p	Trust: 0.8
title:	Cisco Data Center Network Manager Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139930	Trust: 0.6
title:	Cisco: Cisco Data Center Network Manager Server-Side Request Forgery Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-dcnm-ssrf-F2vX6q5p	Trust: 0.1

sources: VULMON: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // CNNVD: CNNVD-202101-1549

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1272	Trust: 2.6
db:	JVNDB	id:	JVNDB-2021-002609	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.0246	Trust: 0.6
db:	CNNVD	id:	CNNVD-202101-1549	Trust: 0.6
db:	VULHUB	id:	VHN-374326	Trust: 0.1
db:	VULMON	id:	CVE-2021-1272	Trust: 0.1

sources: VULHUB: VHN-374326 // VULMON: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // CNNVD: CNNVD-202101-1549 // NVD: CVE-2021-1272

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dcnm-ssrf-f2vx6q5p	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1272	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.0246/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-data-center-network-manager-privilege-escalation-via-server-side-request-forgery-34389	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/918.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/195315	Trust: 0.1

sources: VULHUB: VHN-374326 // VULMON: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // CNNVD: CNNVD-202101-1549 // NVD: CVE-2021-1272

SOURCES

db:	VULHUB	id:	VHN-374326
db:	VULMON	id:	CVE-2021-1272
db:	JVNDB	id:	JVNDB-2021-002609
db:	CNNVD	id:	CNNVD-202101-1549
db:	NVD	id:	CVE-2021-1272

LAST UPDATE DATE

2024-08-14T13:54:17.341000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374326	date:	2021-01-27T00:00:00
db:	VULMON	id:	CVE-2021-1272	date:	2021-01-27T00:00:00
db:	JVNDB	id:	JVNDB-2021-002609	date:	2021-09-27T09:05:00
db:	CNNVD	id:	CNNVD-202101-1549	date:	2021-02-01T00:00:00
db:	NVD	id:	CVE-2021-1272	date:	2023-11-07T03:27:50.180

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374326	date:	2021-01-20T00:00:00
db:	VULMON	id:	CVE-2021-1272	date:	2021-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-002609	date:	2021-09-27T00:00:00
db:	CNNVD	id:	CNNVD-202101-1549	date:	2021-01-20T00:00:00
db:	NVD	id:	CVE-2021-1272	date:	2021-01-20T20:15:15.830