Details of VAR-202105-0617

ID

VAR-202105-0617

CVE

CVE-2021-1499

TITLE

Cisco HyperFlex HX Data Platform Access Control Error Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2021-35615

DESCRIPTION

A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Cisco HyperFlex HX Data Platform is a network device of Cisco (Cisco) in the United States. Provide enterprise-level agility, scalability, security and life cycle management functions. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.07

sources: NVD: CVE-2021-1499 // CNVD: CNVD-2021-35615 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-1499

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-35615

AFFECTED PRODUCTS

vendor:	cisco	model:	hyperflex hx data platform	scope:	gte	version:	4.5	Trust: 1.0
vendor:	cisco	model:	hyperflex hx data platform	scope:	lt	version:	4.5\(2a\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx data platform	scope:	lt	version:	4.0\(2e\)	Trust: 1.0
vendor:	cisco	model:	hyperflex hx data platform	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-35615 // NVD: CVE-2021-1499

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1499
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1499
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2021-35615
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202105-140
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-1499
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-1499
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-35615
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-1499
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 2.0

sources: CNVD: CNVD-2021-35615 // VULMON: CVE-2021-1499 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-140 // NVD: CVE-2021-1499 // NVD: CVE-2021-1499

PROBLEMTYPE DATA

problemtype:

CWE-306

Trust: 1.0

sources: NVD: CVE-2021-1499

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-140

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Patch for Cisco HyperFlex HX Data Platform Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/265646	Trust: 0.6
title:	Cisco Cisco HyperFlex HX Data Platform Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=154669	Trust: 0.6
title:	Cisco: Cisco HyperFlex HX Data Platform File Upload Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-hyperflex-upload-KtCK8Ugz	Trust: 0.1
title:	Awesome-POC	url:	https://github.com/ArrestX/--POC	Trust: 0.1
title:	Normal-POC	url:	https://github.com/Miraitowa70/POC-Notes	Trust: 0.1
title:	Normal-POC	url:	https://github.com/Miraitowa70/Pentest-Notes	Trust: 0.1
title:	Vulnerability	url:	https://github.com/tzwlhack/Vulnerability	Trust: 0.1
title:	Awesome-POC	url:	https://github.com/KayCHENvip/vulnerability-poc	Trust: 0.1
title:	https://github.com/20142995/Goby	url:	https://github.com/20142995/Goby	Trust: 0.1
title:	Awesome-POC	url:	https://github.com/Threekiii/Awesome-POC	Trust: 0.1
title:	Goby_POC POC 数量1319	url:	https://github.com/Z0fhack/Goby_POC	Trust: 0.1
title:	SecBooks SecBooks目录	url:	https://github.com/SexyBeast233/SecBooks	Trust: 0.1
title:	Kenzer Templates [5170] [DEPRECATED]	url:	https://github.com/ARPSyndicate/kenzer-templates	Trust: 0.1

sources: CNVD: CNVD-2021-35615 // VULMON: CVE-2021-1499 // CNNVD: CNNVD-202105-140

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1499	Trust: 2.3
db:	PACKETSTORM	id:	163203	Trust: 1.7
db:	AUSCERT	id:	ESB-2021.1537	Trust: 1.2
db:	CNVD	id:	CNVD-2021-35615	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021050630	Trust: 0.6
db:	CNNVD	id:	CNNVD-202105-140	Trust: 0.6
db:	VULMON	id:	CVE-2021-1499	Trust: 0.1

sources: CNVD: CNVD-2021-35615 // VULMON: CVE-2021-1499 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-140 // NVD: CVE-2021-1499

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-hyperflex-upload-ktck8ugz	Trust: 2.4
url:	http://packetstormsecurity.com/files/163203/cisco-hyperflex-hx-data-platform-file-upload-remote-code-execution.html	Trust: 2.4
url:	https://www.auscert.org.au/bulletins/esb-2021.1537	Trust: 1.2
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021050630	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/306.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/arrestx/--poc	Trust: 0.1

sources: CNVD: CNVD-2021-35615 // VULMON: CVE-2021-1499 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-140 // NVD: CVE-2021-1499

SOURCES

db:	CNVD	id:	CNVD-2021-35615
db:	VULMON	id:	CVE-2021-1499
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202105-140
db:	NVD	id:	CVE-2021-1499

LAST UPDATE DATE

2024-08-14T13:13:16.211000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-35615	date:	2021-05-19T00:00:00
db:	VULMON	id:	CVE-2021-1499	date:	2023-11-07T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202105-140	date:	2021-08-16T00:00:00
db:	NVD	id:	CVE-2021-1499	date:	2023-11-07T03:28:26.697

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-35615	date:	2021-05-19T00:00:00
db:	VULMON	id:	CVE-2021-1499	date:	2021-05-06T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202105-140	date:	2021-05-05T00:00:00
db:	NVD	id:	CVE-2021-1499	date:	2021-05-06T13:15:10.567