Details of VAR-202104-0375

ID

VAR-202104-0375

CVE

CVE-2021-1362

TITLE

plural Cisco Code injection vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2021-005372

DESCRIPTION

A vulnerability in the SOAP API endpoint of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, and Cisco Prime License Manager could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by sending a SOAP API request with crafted parameters to an affected device. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying Linux operating system of the affected device. plural Cisco The product contains a code injection vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco Unity Connection is a voice message platform. The platform can utilize voice commands to make calls or listen to messages hands-free. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.8

sources: NVD: CVE-2021-1362 // JVNDB: JVNDB-2021-005372 // VULHUB: VHN-374416 // VULMON: CVE-2021-1362

AFFECTED PRODUCTS

vendor:	cisco	model:	prime license manager	scope:	gte	version:	10.5\(2\)	Trust: 1.0
vendor:	cisco	model:	unity connection	scope:	lt	version:	12.5\(1\)su4	Trust: 1.0
vendor:	cisco	model:	prime license manager	scope:	lt	version:	11.5\(1\)su9	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lt	version:	11.5\(1\)su9	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lt	version:	12.5\(1\)su4	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	gte	version:	12.0\(1\)	Trust: 1.0
vendor:	cisco	model:	unity connection	scope:	gte	version:	12.0\(1\)	Trust: 1.0
vendor:	cisco	model:	unity connection	scope:	lt	version:	11.5\(1\)su9	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	gte	version:	10.5\(2\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager im \& presence service	scope:	gte	version:	12.0\(1\)	Trust: 1.0
vendor:	cisco	model:	unity connection	scope:	gte	version:	10.5\(2\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager im \& presence service	scope:	gte	version:	10.5\(2\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager im \& presence service	scope:	lt	version:	12.5\(1\)su4	Trust: 1.0
vendor:	cisco	model:	unified communications manager im \& presence service	scope:	lt	version:	11.5\(1\)su9	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco unity connection	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco prime license manager	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified communications manager	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified communications manager im and presence service	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-005372 // NVD: CVE-2021-1362

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1362
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1362
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-1362
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-445
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374416
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-1362
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-1362
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374416
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1362
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2021-1362
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374416 // VULMON: CVE-2021-1362 // JVNDB: JVNDB-2021-005372 // CNNVD: CNNVD-202104-445 // NVD: CVE-2021-1362 // NVD: CVE-2021-1362

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.1
problemtype:	Code injection (CWE-94) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-374416 // JVNDB: JVNDB-2021-005372 // NVD: CVE-2021-1362

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-445

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-202104-445

PATCH

title:	cisco-sa-cucm-rce-pqVYwyb	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-pqVYwyb	Trust: 0.8
title:	Cisco Unified Communications Manager and Cisco Unity Connection Fixes for code injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=147026	Trust: 0.6
title:	Cisco: Cisco Unified Communications Products Remote Code Execution Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-cucm-rce-pqVYwyb	Trust: 0.1

sources: VULMON: CVE-2021-1362 // JVNDB: JVNDB-2021-005372 // CNNVD: CNNVD-202104-445

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1362	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-005372	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.1168	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-445	Trust: 0.6
db:	VULHUB	id:	VHN-374416	Trust: 0.1
db:	VULMON	id:	CVE-2021-1362	Trust: 0.1

sources: VULHUB: VHN-374416 // VULMON: CVE-2021-1362 // JVNDB: JVNDB-2021-005372 // CNNVD: CNNVD-202104-445 // NVD: CVE-2021-1362

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cucm-rce-pqvywyb	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1362	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.1168	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-unified-communications-manager-unity-connection-code-execution-via-soap-api-request-35024	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/94.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-374416 // VULMON: CVE-2021-1362 // JVNDB: JVNDB-2021-005372 // CNNVD: CNNVD-202104-445 // NVD: CVE-2021-1362

SOURCES

db:	VULHUB	id:	VHN-374416
db:	VULMON	id:	CVE-2021-1362
db:	JVNDB	id:	JVNDB-2021-005372
db:	CNNVD	id:	CNNVD-202104-445
db:	NVD	id:	CVE-2021-1362

LAST UPDATE DATE

2024-08-14T13:54:06.484000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374416	date:	2021-04-15T00:00:00
db:	VULMON	id:	CVE-2021-1362	date:	2021-04-15T00:00:00
db:	JVNDB	id:	JVNDB-2021-005372	date:	2021-12-13T09:08:00
db:	CNNVD	id:	CNNVD-202104-445	date:	2021-04-19T00:00:00
db:	NVD	id:	CVE-2021-1362	date:	2023-11-07T03:28:05.947

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374416	date:	2021-04-08T00:00:00
db:	VULMON	id:	CVE-2021-1362	date:	2021-04-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-005372	date:	2021-12-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-445	date:	2021-04-07T00:00:00
db:	NVD	id:	CVE-2021-1362	date:	2021-04-08T04:15:12.140