Details of VAR-202104-0879

ID

VAR-202104-0879

CVE

CVE-2021-1485

TITLE

Cisco IOS XR Parameter injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-450

DESCRIPTION

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges on the underlying Linux operating system (OS) of an affected device. This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to an affected command. A successful exploit could allow the attacker to execute commands on the underlying Linux OS with root privileges. Cisco IOS XR is an operating system developed by Cisco for its network equipment. Cisco IOS XR has a parameter injection vulnerability that can be exploited by an attacker to execute code through command injection

Trust: 1.08

sources: NVD: CVE-2021-1485 // VULHUB: VHN-374539 // VULMON: CVE-2021-1485

AFFECTED PRODUCTS

vendor:

cisco

model:

ios xr

scope:

version:

7.3.1

Trust: 1.0

sources: NVD: CVE-2021-1485

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1485
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1485
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202104-450
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374539
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-1485
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-1485
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-374539
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1485
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1485
baseSeverity:	MEDIUM
baseScore:	6.6
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	1.8
impactScore:	4.7
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-374539 // VULMON: CVE-2021-1485 // CNNVD: CNNVD-202104-450 // NVD: CVE-2021-1485 // NVD: CVE-2021-1485

PROBLEMTYPE DATA

problemtype:

CWE-88

Trust: 1.1

sources: VULHUB: VHN-374539 // NVD: CVE-2021-1485

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202104-450

TYPE

parameter injection

Trust: 0.6

sources: CNNVD: CNNVD-202104-450

PATCH

title:	Cisco IOS XR Repair measures for parameter injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=147031	Trust: 0.6
title:	Cisco: Cisco IOS XR Software Command Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-xr-cmdinj-vsKGherc	Trust: 0.1

sources: VULMON: CVE-2021-1485 // CNNVD: CNNVD-202104-450

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1485	Trust: 1.8
db:	CNNVD	id:	CNNVD-202104-450	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.1167	Trust: 0.6
db:	VULHUB	id:	VHN-374539	Trust: 0.1
db:	VULMON	id:	CVE-2021-1485	Trust: 0.1

sources: VULHUB: VHN-374539 // VULMON: CVE-2021-1485 // CNNVD: CNNVD-202104-450 // NVD: CVE-2021-1485

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-xr-cmdinj-vskgherc	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1485	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1167	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-ios-xr-code-execution-via-command-injection-35029	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/88.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-374539 // VULMON: CVE-2021-1485 // CNNVD: CNNVD-202104-450 // NVD: CVE-2021-1485

SOURCES

db:	VULHUB	id:	VHN-374539
db:	VULMON	id:	CVE-2021-1485
db:	CNNVD	id:	CNNVD-202104-450
db:	NVD	id:	CVE-2021-1485

LAST UPDATE DATE

2024-08-14T14:50:17.207000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374539	date:	2021-04-20T00:00:00
db:	VULMON	id:	CVE-2021-1485	date:	2021-04-20T00:00:00
db:	CNNVD	id:	CNNVD-202104-450	date:	2021-04-22T00:00:00
db:	NVD	id:	CVE-2021-1485	date:	2023-11-07T03:28:24.777

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374539	date:	2021-04-08T00:00:00
db:	VULMON	id:	CVE-2021-1485	date:	2021-04-08T00:00:00
db:	CNNVD	id:	CNNVD-202104-450	date:	2021-04-07T00:00:00
db:	NVD	id:	CVE-2021-1485	date:	2021-04-08T04:15:14.203