Details of VAR-202107-0425

ID

VAR-202107-0425

CVE

CVE-2021-1576

TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation (BPA) could allow an authenticated, remote attacker to elevate privileges to Administrator. These vulnerabilities are due to improper authorization enforcement for specific features and for access to log files that contain confidential information. An attacker could exploit these vulnerabilities either by submitting crafted HTTP messages to an affected system and performing unauthorized actions with the privileges of an administrator, or by retrieving sensitive data from the logs and using it to impersonate a legitimate privileged user. A successful exploit could allow the attacker to elevate privileges to Administrator. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 1.62

sources: NVD: CVE-2021-1576 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374630 // VULMON: CVE-2021-1576

AFFECTED PRODUCTS

vendor:

cisco

model:

business process automation

scope:

version:

3.1

Trust: 1.0

sources: NVD: CVE-2021-1576

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1576
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1576
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202107-297
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374630
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-1576
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-1576
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-374630
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1576
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0

sources: VULHUB: VHN-374630 // VULMON: CVE-2021-1576 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-297 // NVD: CVE-2021-1576 // NVD: CVE-2021-1576

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.1
problemtype:	CWE-285	Trust: 1.0
problemtype:	CWE-532	Trust: 0.1

sources: VULHUB: VHN-374630 // NVD: CVE-2021-1576

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202107-297

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Cisco: Cisco Business Process Automation Privilege Escalation Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-bpa-priv-esc-dgubwbH4	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/	Trust: 0.1

sources: VULMON: CVE-2021-1576

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1576	Trust: 1.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021070813	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2327	Trust: 0.6
db:	CNNVD	id:	CNNVD-202107-297	Trust: 0.6
db:	VULHUB	id:	VHN-374630	Trust: 0.1
db:	VULMON	id:	CVE-2021-1576	Trust: 0.1

sources: VULHUB: VHN-374630 // VULMON: CVE-2021-1576 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-297 // NVD: CVE-2021-1576

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-bpa-priv-esc-dgubwbh4	Trust: 2.5
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021070813	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1576	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2327	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/532.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/	Trust: 0.1

sources: VULHUB: VHN-374630 // VULMON: CVE-2021-1576 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-297 // NVD: CVE-2021-1576

SOURCES

db:	VULHUB	id:	VHN-374630
db:	VULMON	id:	CVE-2021-1576
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202107-297
db:	NVD	id:	CVE-2021-1576

LAST UPDATE DATE

2024-08-14T13:08:57.036000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374630	date:	2022-08-05T00:00:00
db:	VULMON	id:	CVE-2021-1576	date:	2021-07-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202107-297	date:	2022-08-09T00:00:00
db:	NVD	id:	CVE-2021-1576	date:	2023-11-07T03:28:40.480

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374630	date:	2021-07-08T00:00:00
db:	VULMON	id:	CVE-2021-1576	date:	2021-07-08T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202107-297	date:	2021-07-07T00:00:00
db:	NVD	id:	CVE-2021-1576	date:	2021-07-08T19:15:09.040