Details of VAR-202108-0311

ID

VAR-202108-0311

CVE

CVE-2021-1577

TITLE

Cisco Application Policy Infrastructure Controller and Cisco Cloud Application Policy Infrastructure Controller Fraud related to unauthorized authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2021-011087

DESCRIPTION

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system. This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.34

sources: NVD: CVE-2021-1577 // JVNDB: JVNDB-2021-011087 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374631 // VULMON: CVE-2021-1577

AFFECTED PRODUCTS

vendor:	cisco	model:	application policy infrastructure controller	scope:	lt	version:	4.2\(6h\)	Trust: 1.0
vendor:	cisco	model:	application policy infrastructure controller	scope:	lt	version:	5.1\(3e\)	Trust: 1.0
vendor:	cisco	model:	application policy infrastructure controller	scope:	gte	version:	5.0	Trust: 1.0
vendor:	cisco	model:	cloud application policy infrastructure controller	scope:	lt	version:	4.2\(6h\)	Trust: 1.0
vendor:	cisco	model:	cloud application policy infrastructure controller	scope:	gte	version:	5.0	Trust: 1.0
vendor:	cisco	model:	cloud application policy infrastructure controller	scope:	lt	version:	3.2\(10e\)	Trust: 1.0
vendor:	cisco	model:	cloud application policy infrastructure controller	scope:	lt	version:	5.1\(3e\)	Trust: 1.0
vendor:	cisco	model:	application policy infrastructure controller	scope:	gte	version:	4.0	Trust: 1.0
vendor:	cisco	model:	cloud application policy infrastructure controller	scope:	gte	version:	4.0	Trust: 1.0
vendor:	cisco	model:	application policy infrastructure controller	scope:	lt	version:	3.2\(10e\)	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco cloud application policy infrastructure controller	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco application policy infrastructure controller	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-011087 // NVD: CVE-2021-1577

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1577
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1577
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-1577
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202108-2357
value:	CRITICAL
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-374631
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-1577
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-1577
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374631
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1577
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 2.0
NVD:	CVE-2021-1577
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374631 // VULMON: CVE-2021-1577 // JVNDB: JVNDB-2021-011087 // CNNVD: CNNVD-202108-2357 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-1577 // NVD: CVE-2021-1577

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-284	Trust: 1.0
problemtype:	Illegal authentication (CWE-863) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-011087 // NVD: CVE-2021-1577

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-2357

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202108-2357 // CNNVD: CNNVD-202104-975

PATCH

title:	cisco-sa-capic-frw-Nt3RYxR2	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-frw-Nt3RYxR2	Trust: 0.8
title:	Cisco Application Policy Infrastructure Controller Fixes for access control error vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=160682	Trust: 0.6
title:	Cisco: Cisco Application Policy Infrastructure Controller Arbitrary File Read and Write Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-capic-frw-Nt3RYxR2	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/cisco-issues-critical-fixes-for-high-end-nexus-gear/168939/	Trust: 0.1

sources: VULMON: CVE-2021-1577 // JVNDB: JVNDB-2021-011087 // CNNVD: CNNVD-202108-2357

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1577	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-011087	Trust: 0.8
db:	CNNVD	id:	CNNVD-202108-2357	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.2871	Trust: 0.6
db:	CS-HELP	id:	SB2021082610	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	VULHUB	id:	VHN-374631	Trust: 0.1
db:	VULMON	id:	CVE-2021-1577	Trust: 0.1

sources: VULHUB: VHN-374631 // VULMON: CVE-2021-1577 // JVNDB: JVNDB-2021-011087 // CNNVD: CNNVD-202108-2357 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-1577

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-capic-frw-nt3ryxr2	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1577	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.2871	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021082610	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/863.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-issues-critical-fixes-for-high-end-nexus-gear/168939/	Trust: 0.1

sources: VULHUB: VHN-374631 // VULMON: CVE-2021-1577 // JVNDB: JVNDB-2021-011087 // CNNVD: CNNVD-202108-2357 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-1577

SOURCES

db:	VULHUB	id:	VHN-374631
db:	VULMON	id:	CVE-2021-1577
db:	JVNDB	id:	JVNDB-2021-011087
db:	CNNVD	id:	CNNVD-202108-2357
db:	CNNVD	id:	CNNVD-202104-975
db:	NVD	id:	CVE-2021-1577

LAST UPDATE DATE

2024-08-14T12:36:37.142000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374631	date:	2022-10-21T00:00:00
db:	VULMON	id:	CVE-2021-1577	date:	2021-09-01T00:00:00
db:	JVNDB	id:	JVNDB-2021-011087	date:	2022-07-19T02:22:00
db:	CNNVD	id:	CNNVD-202108-2357	date:	2022-10-24T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	NVD	id:	CVE-2021-1577	date:	2023-11-07T03:28:40.650

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374631	date:	2021-08-25T00:00:00
db:	VULMON	id:	CVE-2021-1577	date:	2021-08-25T00:00:00
db:	JVNDB	id:	JVNDB-2021-011087	date:	2022-07-19T00:00:00
db:	CNNVD	id:	CNNVD-202108-2357	date:	2021-08-25T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-1577	date:	2021-08-25T20:15:09.883