Details of VAR-202108-0568

ID

VAR-202108-0568

CVE

CVE-2021-1522

TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with the strong authentication requirements that are configured on an affected device. This vulnerability exists because a password policy check is incomplete at the time a password is changed at server side using the API. An attacker could exploit this vulnerability by sending a specially crafted API request to the affected device. A successful exploit could allow the attacker to change their own password to a value that does not comply with the configured strong authentication requirements. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco Connected Mobile Experiences is an interconnected mobile experience of Cisco (Cisco)

Trust: 1.62

sources: NVD: CVE-2021-1522 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374576 // VULMON: CVE-2021-1522

AFFECTED PRODUCTS

vendor:	cisco	model:	connected mobile experiences	scope:	eq	version:	10.6.2	Trust: 1.0
vendor:	cisco	model:	connected mobile experiences	scope:	eq	version:	10.6.1	Trust: 1.0
vendor:	cisco	model:	connected mobile experiences	scope:	eq	version:	10.6.0	Trust: 1.0
vendor:	cisco	model:	connected mobile experiences	scope:	eq	version:	10.6.3	Trust: 1.0

sources: NVD: CVE-2021-1522

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1522
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1522
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-418
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-374576
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-1522
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-1522
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-374576
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1522
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 2.0

sources: VULHUB: VHN-374576 // VULMON: CVE-2021-1522 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-418 // NVD: CVE-2021-1522 // NVD: CVE-2021-1522

PROBLEMTYPE DATA

problemtype:	CWE-521	Trust: 1.1
problemtype:	CWE-255	Trust: 1.0

sources: VULHUB: VHN-374576 // NVD: CVE-2021-1522

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-418

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Cisco Connected Mobile Experiences Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=158942	Trust: 0.6
title:	Cisco: Cisco Connected Mobile Experiences Strong Authentication Requirements Enforcement Bypass	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-cmx-GkCvfd4	Trust: 0.1

sources: VULMON: CVE-2021-1522 // CNNVD: CNNVD-202108-418

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1522	Trust: 1.8
db:	CNNVD	id:	CNNVD-202108-418	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021080518	Trust: 0.6
db:	VULHUB	id:	VHN-374576	Trust: 0.1
db:	VULMON	id:	CVE-2021-1522	Trust: 0.1

sources: VULHUB: VHN-374576 // VULMON: CVE-2021-1522 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-418 // NVD: CVE-2021-1522

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cmx-gkcvfd4	Trust: 2.5
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080518	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/521.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-374576 // VULMON: CVE-2021-1522 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-418 // NVD: CVE-2021-1522

SOURCES

db:	VULHUB	id:	VHN-374576
db:	VULMON	id:	CVE-2021-1522
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-418
db:	NVD	id:	CVE-2021-1522

LAST UPDATE DATE

2024-08-14T12:13:06.566000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374576	date:	2021-08-11T00:00:00
db:	VULMON	id:	CVE-2021-1522	date:	2021-08-11T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-418	date:	2021-08-12T00:00:00
db:	NVD	id:	CVE-2021-1522	date:	2023-11-07T03:28:30.757

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374576	date:	2021-08-04T00:00:00
db:	VULMON	id:	CVE-2021-1522	date:	2021-08-04T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-418	date:	2021-08-04T00:00:00
db:	NVD	id:	CVE-2021-1522	date:	2021-08-04T18:15:08.287