ID

VAR-202101-1053


CVE

CVE-2021-1272


TITLE

Cisco Data Center Network Manager  Server-side Request Forgery Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-002609

DESCRIPTION

A vulnerability in the session validation feature of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. This vulnerability is due to insufficient validation of parameters in a specific HTTP request by an attacker. An attacker could exploit this vulnerability by sending a crafted HTTP request to an authenticated user of the DCNM web application. A successful exploit could allow the attacker to bypass access controls and gain unauthorized access to the Device Manager application, which provides access to network devices managed by the system. Cisco Data Center Network Manager (DCNM) is a data center management system of Cisco (Cisco). The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

Trust: 1.8

sources: NVD: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // VULHUB: VHN-374326 // VULMON: CVE-2021-1272

AFFECTED PRODUCTS

vendor:ciscomodel:data center network managerscope:ltversion:11.5\(1\)

Trust: 1.0

vendor:シスコシステムズmodel:cisco data center network managerscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-002609 // NVD: CVE-2021-1272

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1272
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1272
value: HIGH

Trust: 1.0

NVD: CVE-2021-1272
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202101-1549
value: HIGH

Trust: 0.6

VULHUB: VHN-374326
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-1272
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-1272
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-374326
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1272
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2021-1272
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-374326 // VULMON: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // CNNVD: CNNVD-202101-1549 // NVD: CVE-2021-1272 // NVD: CVE-2021-1272

PROBLEMTYPE DATA

problemtype:CWE-918

Trust: 1.1

problemtype:Server-side request forgery (CWE-918) [ Other ]

Trust: 0.8

sources: VULHUB: VHN-374326 // JVNDB: JVNDB-2021-002609 // NVD: CVE-2021-1272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1549

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202101-1549

PATCH

title:cisco-sa-dcnm-ssrf-F2vX6q5purl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-ssrf-F2vX6q5p

Trust: 0.8

title:Cisco Data Center Network Manager Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139930

Trust: 0.6

title:Cisco: Cisco Data Center Network Manager Server-Side Request Forgery Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-dcnm-ssrf-F2vX6q5p

Trust: 0.1

sources: VULMON: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // CNNVD: CNNVD-202101-1549

EXTERNAL IDS

db:NVDid:CVE-2021-1272

Trust: 2.6

db:JVNDBid:JVNDB-2021-002609

Trust: 0.8

db:AUSCERTid:ESB-2021.0246

Trust: 0.6

db:CNNVDid:CNNVD-202101-1549

Trust: 0.6

db:VULHUBid:VHN-374326

Trust: 0.1

db:VULMONid:CVE-2021-1272

Trust: 0.1

sources: VULHUB: VHN-374326 // VULMON: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // CNNVD: CNNVD-202101-1549 // NVD: CVE-2021-1272

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dcnm-ssrf-f2vx6q5p

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-1272

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.0246/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-data-center-network-manager-privilege-escalation-via-server-side-request-forgery-34389

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/918.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/195315

Trust: 0.1

sources: VULHUB: VHN-374326 // VULMON: CVE-2021-1272 // JVNDB: JVNDB-2021-002609 // CNNVD: CNNVD-202101-1549 // NVD: CVE-2021-1272

SOURCES

db:VULHUBid:VHN-374326
db:VULMONid:CVE-2021-1272
db:JVNDBid:JVNDB-2021-002609
db:CNNVDid:CNNVD-202101-1549
db:NVDid:CVE-2021-1272

LAST UPDATE DATE

2024-08-14T13:54:17.341000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374326date:2021-01-27T00:00:00
db:VULMONid:CVE-2021-1272date:2021-01-27T00:00:00
db:JVNDBid:JVNDB-2021-002609date:2021-09-27T09:05:00
db:CNNVDid:CNNVD-202101-1549date:2021-02-01T00:00:00
db:NVDid:CVE-2021-1272date:2023-11-07T03:27:50.180

SOURCES RELEASE DATE

db:VULHUBid:VHN-374326date:2021-01-20T00:00:00
db:VULMONid:CVE-2021-1272date:2021-01-20T00:00:00
db:JVNDBid:JVNDB-2021-002609date:2021-09-27T00:00:00
db:CNNVDid:CNNVD-202101-1549date:2021-01-20T00:00:00
db:NVDid:CVE-2021-1272date:2021-01-20T20:15:15.830