ID

VAR-202105-0446


CVE

CVE-2021-1306


TITLE

plural  Cisco  Vulnerability in externally controllable references to resources in other areas of the product

Trust: 0.8

sources: JVNDB: JVNDB-2021-007180

DESCRIPTION

A vulnerability in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to identify directories and write arbitrary files to the file system. This vulnerability is due to improper validation of parameters that are sent to a CLI command within the restricted shell. An attacker could exploit this vulnerability by logging in to the device and issuing certain CLI commands. A successful exploit could allow the attacker to identify file directories on the affected device and write arbitrary files to the file system on the affected device. To exploit this vulnerability, the attacker must be an authenticated shell user. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.34

sources: NVD: CVE-2021-1306 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374360 // VULMON: CVE-2021-1306

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:ltversion:2.7.0

Trust: 1.0

vendor:ciscomodel:evolved programmable network managerscope:ltversion:5.0.1

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:3.8.1

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:ltversion:3.8.1

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.0.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.7.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco prime infrastructurescope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco identity services enginescope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco evolved programmable network managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-007180 // NVD: CVE-2021-1306

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1306
value: LOW

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1306
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-1306
value: LOW

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202105-1249
value: LOW

Trust: 0.6

VULHUB: VHN-374360
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2021-1306
severity: LOW
baseScore: 3.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-374360
severity: LOW
baseScore: 3.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1306
baseSeverity: LOW
baseScore: 3.4
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 0.8
impactScore: 2.5
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1306
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: CVE-2021-1306
baseSeverity: LOW
baseScore: 3.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-374360 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1249 // NVD: CVE-2021-1306 // NVD: CVE-2021-1306

PROBLEMTYPE DATA

problemtype:CWE-610

Trust: 1.1

problemtype:CWE-73

Trust: 1.0

problemtype:Externally controllable reference to another region resource (CWE-610) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-374360 // JVNDB: JVNDB-2021-007180 // NVD: CVE-2021-1306

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202105-1249

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1249

PATCH

title:cisco-sa-ade-xcvAQEOZurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ade-xcvAQEOZ

Trust: 0.8

title:Cisco Various product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152202

Trust: 0.6

title:Cisco: Cisco ADE-OS Local File Inclusion Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ade-xcvAQEOZ

Trust: 0.1

sources: VULMON: CVE-2021-1306 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202105-1249

EXTERNAL IDS

db:NVDid:CVE-2021-1306

Trust: 3.4

db:JVNDBid:JVNDB-2021-007180

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021052107

Trust: 0.6

db:AUSCERTid:ESB-2021.1774

Trust: 0.6

db:CNNVDid:CNNVD-202105-1249

Trust: 0.6

db:VULHUBid:VHN-374360

Trust: 0.1

db:VULMONid:CVE-2021-1306

Trust: 0.1

sources: VULHUB: VHN-374360 // VULMON: CVE-2021-1306 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1249 // NVD: CVE-2021-1306

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ade-xcvaqeoz

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2021-1306

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1774

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021052107

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-prime-infrastructure-read-write-access-via-cli-ade-os-local-file-inclusion-35487

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-374360 // VULMON: CVE-2021-1306 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1249 // NVD: CVE-2021-1306

SOURCES

db:VULHUBid:VHN-374360
db:VULMONid:CVE-2021-1306
db:JVNDBid:JVNDB-2021-007180
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202105-1249
db:NVDid:CVE-2021-1306

LAST UPDATE DATE

2024-08-14T12:42:38.147000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374360date:2021-05-27T00:00:00
db:VULMONid:CVE-2021-1306date:2021-05-22T00:00:00
db:JVNDBid:JVNDB-2021-007180date:2022-02-03T08:31:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202105-1249date:2021-05-28T00:00:00
db:NVDid:CVE-2021-1306date:2023-11-07T03:27:55.353

SOURCES RELEASE DATE

db:VULHUBid:VHN-374360date:2021-05-22T00:00:00
db:VULMONid:CVE-2021-1306date:2021-05-22T00:00:00
db:JVNDBid:JVNDB-2021-007180date:2022-02-03T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202105-1249date:2021-05-19T00:00:00
db:NVDid:CVE-2021-1306date:2021-05-22T07:15:07.197