Details of VAR-202103-0779

ID

VAR-202103-0779

CVE

CVE-2021-1443

TITLE

Cisco IOS XE Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-004760

DESCRIPTION

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system of an affected device. The vulnerability exists because the affected software improperly sanitizes values that are parsed from a specific configuration file. An attacker could exploit this vulnerability by tampering with a specific configuration file and then sending an API call. A successful exploit could allow the attacker to inject arbitrary code that would be executed on the underlying operating system of the affected device. To exploit this vulnerability, the attacker would need to have a privileged set of credentials to the device. Cisco IOS XE Contains a command injection vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco IOS XE Software is an operating system of Cisco (Cisco). A single operating system for enterprise wired and wireless access, aggregation, core, and WAN, Cisco IOS XE reduces business and network complexity

Trust: 2.34

sources: NVD: CVE-2021-1443 // JVNDB: JVNDB-2021-004760 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374497 // VULMON: CVE-2021-1443

AFFECTED PRODUCTS

vendor:	cisco	model:	ios xe	scope:	eq	version:	17.2.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1y	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.3a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.4	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	17.1.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.3a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.4c	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1w	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	17.1.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	17.2.1v	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1x	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	17.2.1r	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.3s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	17.2.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.1c	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1c	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.1b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.2s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1z	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.2t	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.2s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1b	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1d	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.5	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1c	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1t	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1za	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	17.1.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.1d	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.2a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	17.1.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.3h	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1a	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	17.1.1t	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.1z1	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1e	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1g	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.11.1c	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.5f	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.12.3s	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.10.1f	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.9.2a	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco ios xe	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-004760 // NVD: CVE-2021-1443

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1443
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1443
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-1443
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202103-1393
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374497
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-1443
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-1443
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374497
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1443
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1443
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	4.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-1443
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374497 // VULMON: CVE-2021-1443 // JVNDB: JVNDB-2021-004760 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202103-1393 // NVD: CVE-2021-1443 // NVD: CVE-2021-1443

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-374497 // JVNDB: JVNDB-2021-004760 // NVD: CVE-2021-1443

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-1393

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	cisco-sa-ios-xe-os-cmd-inj-Ef6TV5e9	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-os-cmd-inj-Ef6TV5e9	Trust: 0.8
title:	Cisco IOS XE Software Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=145697	Trust: 0.6
title:	Cisco: Cisco IOS XE Software Web UI OS Command Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ios-xe-os-cmd-inj-Ef6TV5e9	Trust: 0.1

sources: VULMON: CVE-2021-1443 // JVNDB: JVNDB-2021-004760 // CNNVD: CNNVD-202103-1393

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1443	Trust: 2.6
db:	JVN	id:	JVNVU99743643	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-004760	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021042150	Trust: 0.6
db:	CNNVD	id:	CNNVD-202103-1393	Trust: 0.6
db:	VULHUB	id:	VHN-374497	Trust: 0.1
db:	VULMON	id:	CVE-2021-1443	Trust: 0.1

sources: VULHUB: VHN-374497 // VULMON: CVE-2021-1443 // JVNDB: JVNDB-2021-004760 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202103-1393 // NVD: CVE-2021-1443

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ios-xe-os-cmd-inj-ef6tv5e9	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1443	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu99743643/index.html	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-ios-ios-xe-multiple-vulnerabilities-34940	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021042150	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/198716	Trust: 0.1

sources: VULHUB: VHN-374497 // VULMON: CVE-2021-1443 // JVNDB: JVNDB-2021-004760 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202103-1393 // NVD: CVE-2021-1443

SOURCES

db:	VULHUB	id:	VHN-374497
db:	VULMON	id:	CVE-2021-1443
db:	JVNDB	id:	JVNDB-2021-004760
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202103-1393
db:	NVD	id:	CVE-2021-1443

LAST UPDATE DATE

2024-08-14T12:22:42.248000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374497	date:	2022-08-05T00:00:00
db:	VULMON	id:	CVE-2021-1443	date:	2021-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-004760	date:	2021-11-29T09:16:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202103-1393	date:	2022-08-08T00:00:00
db:	NVD	id:	CVE-2021-1443	date:	2023-11-07T03:28:19.460

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374497	date:	2021-03-24T00:00:00
db:	VULMON	id:	CVE-2021-1443	date:	2021-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2021-004760	date:	2021-11-29T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202103-1393	date:	2021-03-24T00:00:00
db:	NVD	id:	CVE-2021-1443	date:	2021-03-24T20:15:15.227