Details of VAR-202105-0446

ID

VAR-202105-0446

CVE

CVE-2021-1306

TITLE

plural Cisco Vulnerability in externally controllable references to resources in other areas of the product

Trust: 0.8

sources: JVNDB: JVNDB-2021-007180

DESCRIPTION

A vulnerability in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to identify directories and write arbitrary files to the file system. This vulnerability is due to improper validation of parameters that are sent to a CLI command within the restricted shell. An attacker could exploit this vulnerability by logging in to the device and issuing certain CLI commands. A successful exploit could allow the attacker to identify file directories on the affected device and write arbitrary files to the file system on the affected device. To exploit this vulnerability, the attacker must be an authenticated shell user. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.34

sources: NVD: CVE-2021-1306 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374360 // VULMON: CVE-2021-1306

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	lt	version:	2.7.0	Trust: 1.0
vendor:	cisco	model:	evolved programmable network manager	scope:	lt	version:	5.0.1	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	3.8.1	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	lt	version:	3.8.1	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.0.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco prime infrastructure	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco evolved programmable network manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-007180 // NVD: CVE-2021-1306

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1306
value:	LOW
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1306
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-1306
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202105-1249
value:	LOW
Trust: 0.6
VULHUB:	VHN-374360
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2021-1306
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-374360
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1306
baseSeverity:	LOW
baseScore:	3.4
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	0.8
impactScore:	2.5
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1306
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	2.5
version:	3.1
Trust: 1.0
NVD:	CVE-2021-1306
baseSeverity:	LOW
baseScore:	3.4
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374360 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1249 // NVD: CVE-2021-1306 // NVD: CVE-2021-1306

PROBLEMTYPE DATA

problemtype:	CWE-610	Trust: 1.1
problemtype:	CWE-73	Trust: 1.0
problemtype:	Externally controllable reference to another region resource (CWE-610) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-374360 // JVNDB: JVNDB-2021-007180 // NVD: CVE-2021-1306

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202105-1249

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1249

PATCH

title:	cisco-sa-ade-xcvAQEOZ	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ade-xcvAQEOZ	Trust: 0.8
title:	Cisco Various product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152202	Trust: 0.6
title:	Cisco: Cisco ADE-OS Local File Inclusion Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ade-xcvAQEOZ	Trust: 0.1

sources: VULMON: CVE-2021-1306 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202105-1249

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1306	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-007180	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021052107	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1774	Trust: 0.6
db:	CNNVD	id:	CNNVD-202105-1249	Trust: 0.6
db:	VULHUB	id:	VHN-374360	Trust: 0.1
db:	VULMON	id:	CVE-2021-1306	Trust: 0.1

sources: VULHUB: VHN-374360 // VULMON: CVE-2021-1306 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1249 // NVD: CVE-2021-1306

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ade-xcvaqeoz	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1306	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1774	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021052107	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-prime-infrastructure-read-write-access-via-cli-ade-os-local-file-inclusion-35487	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-374360 // VULMON: CVE-2021-1306 // JVNDB: JVNDB-2021-007180 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1249 // NVD: CVE-2021-1306

SOURCES

db:	VULHUB	id:	VHN-374360
db:	VULMON	id:	CVE-2021-1306
db:	JVNDB	id:	JVNDB-2021-007180
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202105-1249
db:	NVD	id:	CVE-2021-1306

LAST UPDATE DATE

2024-08-14T12:42:38.147000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374360	date:	2021-05-27T00:00:00
db:	VULMON	id:	CVE-2021-1306	date:	2021-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2021-007180	date:	2022-02-03T08:31:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202105-1249	date:	2021-05-28T00:00:00
db:	NVD	id:	CVE-2021-1306	date:	2023-11-07T03:27:55.353

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374360	date:	2021-05-22T00:00:00
db:	VULMON	id:	CVE-2021-1306	date:	2021-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2021-007180	date:	2022-02-03T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202105-1249	date:	2021-05-19T00:00:00
db:	NVD	id:	CVE-2021-1306	date:	2021-05-22T07:15:07.197