ID

VAR-202104-0376


CVE

CVE-2021-1369


TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected device. This vulnerability is due to the improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by sending malicious requests that contain references in XML entities to an affected system. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information or causing a partial denial of service (DoS) condition on the affected device. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco Firepower Device Manager (FDM) is a firewall device manager of Cisco (Cisco). The product supports access rule configuration, system monitoring and other functions

Trust: 1.62

sources: NVD: CVE-2021-1369 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374423 // VULMON: CVE-2021-1369

AFFECTED PRODUCTS

vendor:ciscomodel:firepower device managerscope:gteversion:6.6.0

Trust: 1.0

vendor:ciscomodel:firepower device managerscope:ltversion:6.5.0.5

Trust: 1.0

vendor:ciscomodel:firepower device managerscope:ltversion:6.6.3

Trust: 1.0

sources: NVD: CVE-2021-1369

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1369
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1369
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-2100
value: MEDIUM

Trust: 0.6

VULHUB: VHN-374423
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-1369
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-1369
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-374423
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1369
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 2.5
version: 3.1

Trust: 2.0

sources: VULHUB: VHN-374423 // VULMON: CVE-2021-1369 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2100 // NVD: CVE-2021-1369 // NVD: CVE-2021-1369

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.1

sources: VULHUB: VHN-374423 // NVD: CVE-2021-1369

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-2100

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Cisco Firepower Device Manager Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=148804

Trust: 0.6

title:Cisco: Cisco Firepower Device Manager On-Box Software XML External Entity Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-fdm-xxe-zR7sxPfs

Trust: 0.1

sources: VULMON: CVE-2021-1369 // CNNVD: CNNVD-202104-2100

EXTERNAL IDS

db:NVDid:CVE-2021-1369

Trust: 1.8

db:CNNVDid:CNNVD-202104-2100

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021042906

Trust: 0.6

db:AUSCERTid:ESB-2021.1470

Trust: 0.6

db:VULHUBid:VHN-374423

Trust: 0.1

db:VULMONid:CVE-2021-1369

Trust: 0.1

sources: VULHUB: VHN-374423 // VULMON: CVE-2021-1369 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2100 // NVD: CVE-2021-1369

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-fdm-xxe-zr7sxpfs

Trust: 1.9

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1470

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-1369

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021042906

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/611.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-374423 // VULMON: CVE-2021-1369 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2100 // NVD: CVE-2021-1369

SOURCES

db:VULHUBid:VHN-374423
db:VULMONid:CVE-2021-1369
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202104-2100
db:NVDid:CVE-2021-1369

LAST UPDATE DATE

2024-08-14T12:18:31.673000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374423date:2021-05-05T00:00:00
db:VULMONid:CVE-2021-1369date:2021-05-05T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202104-2100date:2021-05-06T00:00:00
db:NVDid:CVE-2021-1369date:2023-11-07T03:28:07.240

SOURCES RELEASE DATE

db:VULHUBid:VHN-374423date:2021-04-29T00:00:00
db:VULMONid:CVE-2021-1369date:2021-04-29T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202104-2100date:2021-04-28T00:00:00
db:NVDid:CVE-2021-1369date:2021-04-29T18:15:08.887