Sign-up

ID

VAR-202102-0688


CVE

CVE-2021-1388


TITLE

Cisco ACI Multi-Site Orchestrator  Vulnerability in privilege management

Trust: 0.8

sources: JVNDB: JVNDB-2021-001282

DESCRIPTION

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices. Cisco ACI Multi-Site Orchestrator (MSO) Contains a privilege management vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco Application Policy Infrastructure Controller (APIC) is an automated infrastructure deployment and governance solution from Cisco

Trust: 1.71

sources: NVD: CVE-2021-1388 // JVNDB: JVNDB-2021-001282 // VULHUB: VHN-374442

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:3.0\(3i\)

Trust: 1.0

vendor:ciscomodel:aci multi-site orchestratorscope:gteversion:3.0

Trust: 1.0

vendor:ciscomodel:aci multi-site orchestratorscope:ltversion:3.0\(3m\)

Trust: 1.0

vendor:シスコシステムズmodel:cisco aci multi-site orchestratorscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-001282 // NVD: CVE-2021-1388

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1388
value: CRITICAL

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1388
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-1388
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202102-1564
value: CRITICAL

Trust: 0.6

VULHUB: VHN-374442
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-1388
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-374442
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1388
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.1

Trust: 2.0

NVD: CVE-2021-1388
baseSeverity: CRITICAL
baseScore: 10
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-374442 // JVNDB: JVNDB-2021-001282 // CNNVD: CNNVD-202102-1564 // NVD: CVE-2021-1388 // NVD: CVE-2021-1388

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-269

Trust: 1.0

problemtype:Improper authority management (CWE-269) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-001282 // NVD: CVE-2021-1388

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-1564

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202102-1564

PATCH

title:cisco-sa-mso-authbyp-bb5GmBQvurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mso-authbyp-bb5GmBQv

Trust: 0.8

title:Cisco ACI Multi-Site Orchestrator Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142707

Trust: 0.6

sources: JVNDB: JVNDB-2021-001282 // CNNVD: CNNVD-202102-1564

EXTERNAL IDS

db:NVDid:CVE-2021-1388

Trust: 2.5

db:JVNDBid:JVNDB-2021-001282

Trust: 0.8

db:CNNVDid:CNNVD-202102-1564

Trust: 0.7

db:AUSCERTid:ESB-2021.0698

Trust: 0.6

db:VULHUBid:VHN-374442

Trust: 0.1

sources: VULHUB: VHN-374442 // JVNDB: JVNDB-2021-001282 // CNNVD: CNNVD-202102-1564 // NVD: CVE-2021-1388

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-mso-authbyp-bb5gmbqv

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-1388

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.0698

Trust: 0.6

sources: VULHUB: VHN-374442 // JVNDB: JVNDB-2021-001282 // CNNVD: CNNVD-202102-1564 // NVD: CVE-2021-1388

SOURCES

db:VULHUBid:VHN-374442
db:JVNDBid:JVNDB-2021-001282
db:CNNVDid:CNNVD-202102-1564
db:NVDid:CVE-2021-1388

LAST UPDATE DATE

2024-11-23T21:51:02.806000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374442date:2022-08-05T00:00:00
db:JVNDBid:JVNDB-2021-001282date:2021-03-22T09:26:00
db:CNNVDid:CNNVD-202102-1564date:2022-08-08T00:00:00
db:NVDid:CVE-2021-1388date:2024-11-21T05:44:14.400

SOURCES RELEASE DATE

db:VULHUBid:VHN-374442date:2021-02-24T00:00:00
db:JVNDBid:JVNDB-2021-001282date:2021-03-22T00:00:00
db:CNNVDid:CNNVD-202102-1564date:2021-02-24T00:00:00
db:NVDid:CVE-2021-1388date:2021-02-24T20:15:13.660