ID

VAR-202104-0897


CVE

CVE-2021-1476


TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

A vulnerability in the CLI of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input for specific commands. A successful exploit could allow the attacker to execute commands on the underlying OS with root privileges. To exploit this vulnerability, an attacker must have valid administrator-level credentials. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco Firepower Threat Defense is a suite of unified software that provides next-generation firewall services. Cisco Adaptive Security Appliance is a network device. Used to protect corporate networks and data centers of all sizes

Trust: 1.62

sources: NVD: CVE-2021-1476 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374530 // VULMON: CVE-2021-1476

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.14

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.13

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.15.1.10

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.14.2.13

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.7.0.2

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.6.4

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.13.1.21

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.5.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.15

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.7.0

Trust: 1.0

sources: NVD: CVE-2021-1476

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1476
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1476
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-2078
value: MEDIUM

Trust: 0.6

VULHUB: VHN-374530
value: HIGH

Trust: 0.1

VULMON: CVE-2021-1476
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-1476
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-374530
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1476
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.1

Trust: 2.0

sources: VULHUB: VHN-374530 // VULMON: CVE-2021-1476 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2078 // NVD: CVE-2021-1476 // NVD: CVE-2021-1476

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

sources: VULHUB: VHN-374530 // NVD: CVE-2021-1476

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202104-2078

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=149018

Trust: 0.6

sources: CNNVD: CNNVD-202104-2078

EXTERNAL IDS

db:NVDid:CVE-2021-1476

Trust: 1.8

db:CNNVDid:CNNVD-202104-2078

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.1468

Trust: 0.6

db:CS-HELPid:SB2021042833

Trust: 0.6

db:VULHUBid:VHN-374530

Trust: 0.1

db:VULMONid:CVE-2021-1476

Trust: 0.1

sources: VULHUB: VHN-374530 // VULMON: CVE-2021-1476 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2078 // NVD: CVE-2021-1476

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asa-ftd-cmd-inj-selprvg

Trust: 1.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021042833

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-1476

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1468

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-asa-shell-command-execution-via-cli-35205

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-374530 // VULMON: CVE-2021-1476 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2078 // NVD: CVE-2021-1476

SOURCES

db:VULHUBid:VHN-374530
db:VULMONid:CVE-2021-1476
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202104-2078
db:NVDid:CVE-2021-1476

LAST UPDATE DATE

2024-08-14T13:16:37.174000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374530date:2021-05-09T00:00:00
db:VULMONid:CVE-2021-1476date:2021-05-09T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202104-2078date:2021-05-10T00:00:00
db:NVDid:CVE-2021-1476date:2023-11-07T03:28:23.913

SOURCES RELEASE DATE

db:VULHUBid:VHN-374530date:2021-04-29T00:00:00
db:VULMONid:CVE-2021-1476date:2021-04-29T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202104-2078date:2021-04-28T00:00:00
db:NVDid:CVE-2021-1476date:2021-04-29T18:15:09.197