Details of VAR-202107-0423

ID

VAR-202107-0423

CVE

CVE-2021-1574

TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation (BPA) could allow an authenticated, remote attacker to elevate privileges to Administrator. These vulnerabilities are due to improper authorization enforcement for specific features and for access to log files that contain confidential information. An attacker could exploit these vulnerabilities either by submitting crafted HTTP messages to an affected system and performing unauthorized actions with the privileges of an administrator, or by retrieving sensitive data from the logs and using it to impersonate a legitimate privileged user. A successful exploit could allow the attacker to elevate privileges to Administrator. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 1.62

sources: NVD: CVE-2021-1574 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374628 // VULMON: CVE-2021-1574

AFFECTED PRODUCTS

vendor:

cisco

model:

business process automation

scope:

version:

3.1

Trust: 1.0

sources: NVD: CVE-2021-1574

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1574
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1574
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202107-337
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374628
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-1574
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-1574
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-374628
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1574
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0

sources: VULHUB: VHN-374628 // VULMON: CVE-2021-1574 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-337 // NVD: CVE-2021-1574 // NVD: CVE-2021-1574

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.1
problemtype:	CWE-285	Trust: 1.0

sources: VULHUB: VHN-374628 // NVD: CVE-2021-1574

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202107-337

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Cisco: Cisco Business Process Automation Privilege Escalation Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-bpa-priv-esc-dgubwbH4	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/	Trust: 0.1

sources: VULMON: CVE-2021-1574

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1574	Trust: 1.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021070813	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2327	Trust: 0.6
db:	CNNVD	id:	CNNVD-202107-337	Trust: 0.6
db:	VULHUB	id:	VHN-374628	Trust: 0.1
db:	VULMON	id:	CVE-2021-1574	Trust: 0.1

sources: VULHUB: VHN-374628 // VULMON: CVE-2021-1574 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-337 // NVD: CVE-2021-1574

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-bpa-priv-esc-dgubwbh4	Trust: 2.5
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021070813	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1574	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2327	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/	Trust: 0.1

sources: VULHUB: VHN-374628 // VULMON: CVE-2021-1574 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-337 // NVD: CVE-2021-1574

SOURCES

db:	VULHUB	id:	VHN-374628
db:	VULMON	id:	CVE-2021-1574
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202107-337
db:	NVD	id:	CVE-2021-1574

LAST UPDATE DATE

2024-08-14T13:09:53.286000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374628	date:	2022-08-05T00:00:00
db:	VULMON	id:	CVE-2021-1574	date:	2021-09-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202107-337	date:	2022-08-08T00:00:00
db:	NVD	id:	CVE-2021-1574	date:	2023-11-07T03:28:40.140

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374628	date:	2021-07-08T00:00:00
db:	VULMON	id:	CVE-2021-1574	date:	2021-07-08T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202107-337	date:	2021-07-07T00:00:00
db:	NVD	id:	CVE-2021-1574	date:	2021-07-08T19:15:08.700