ID

VAR-202108-0819


CVE

CVE-2021-34715


TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco Expressway Series is a software for accessing devices outside the firewall. The software provides simple, highly secure access for users outside the firewall, helping remote workers work more efficiently on the device of their choice. Cisco TelePresence Video Communication Server is a video communication server

Trust: 1.62

sources: NVD: CVE-2021-34715 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-394957 // VULMON: CVE-2021-34715

AFFECTED PRODUCTS

vendor:ciscomodel:telepresence video communication serverscope:lteversion:x8.8

Trust: 1.0

vendor:ciscomodel:expresswayscope:lteversion:x8.8.0

Trust: 1.0

sources: NVD: CVE-2021-34715

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-34715
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2021-34715
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202108-1657
value: HIGH

Trust: 0.6

VULHUB: VHN-394957
value: HIGH

Trust: 0.1

VULMON: CVE-2021-34715
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-34715
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-394957
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-34715
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2021-34715
baseSeverity: MEDIUM
baseScore: 4.7
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.2
impactScore: 3.4
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-394957 // VULMON: CVE-2021-34715 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-1657 // NVD: CVE-2021-34715 // NVD: CVE-2021-34715

PROBLEMTYPE DATA

problemtype:CWE-347

Trust: 1.1

sources: VULHUB: VHN-394957 // NVD: CVE-2021-34715

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-1657

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Cisco Expressway Series and Cisco TelePresence Video Communication Server Repair measures for data forgery problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=160755

Trust: 0.6

sources: CNNVD: CNNVD-202108-1657

EXTERNAL IDS

db:NVDid:CVE-2021-34715

Trust: 1.8

db:CNNVDid:CNNVD-202108-1657

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021082303

Trust: 0.6

db:AUSCERTid:ESB-2021.2806

Trust: 0.6

db:VULHUBid:VHN-394957

Trust: 0.1

db:VULMONid:CVE-2021-34715

Trust: 0.1

sources: VULHUB: VHN-394957 // VULMON: CVE-2021-34715 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-1657 // NVD: CVE-2021-34715

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ewver-c6wzpxrx

Trust: 2.4

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2806

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021082303

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/347.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-394957 // VULMON: CVE-2021-34715 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-1657 // NVD: CVE-2021-34715

SOURCES

db:VULHUBid:VHN-394957
db:VULMONid:CVE-2021-34715
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202108-1657
db:NVDid:CVE-2021-34715

LAST UPDATE DATE

2024-08-14T12:26:04.311000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-394957date:2021-08-25T00:00:00
db:VULMONid:CVE-2021-34715date:2021-08-25T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202108-1657date:2021-08-26T00:00:00
db:NVDid:CVE-2021-34715date:2023-11-07T03:36:10.637

SOURCES RELEASE DATE

db:VULHUBid:VHN-394957date:2021-08-18T00:00:00
db:VULMONid:CVE-2021-34715date:2021-08-18T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202108-1657date:2021-08-18T00:00:00
db:NVDid:CVE-2021-34715date:2021-08-18T20:15:07.150