Details of VAR-202108-0819

ID

VAR-202108-0819

CVE

CVE-2021-34715

TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco Expressway Series is a software for accessing devices outside the firewall. The software provides simple, highly secure access for users outside the firewall, helping remote workers work more efficiently on the device of their choice. Cisco TelePresence Video Communication Server is a video communication server

Trust: 1.62

sources: NVD: CVE-2021-34715 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-394957 // VULMON: CVE-2021-34715

AFFECTED PRODUCTS

vendor:	cisco	model:	telepresence video communication server	scope:	lte	version:	x8.8	Trust: 1.0
vendor:	cisco	model:	expressway	scope:	lte	version:	x8.8.0	Trust: 1.0

sources: NVD: CVE-2021-34715

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-34715
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-34715
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-1657
value:	HIGH
Trust: 0.6
VULHUB:	VHN-394957
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-34715
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-34715
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-394957
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-34715
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-34715
baseSeverity:	MEDIUM
baseScore:	4.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.2
impactScore:	3.4
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-394957 // VULMON: CVE-2021-34715 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-1657 // NVD: CVE-2021-34715 // NVD: CVE-2021-34715

PROBLEMTYPE DATA

problemtype:

CWE-347

Trust: 1.1

sources: VULHUB: VHN-394957 // NVD: CVE-2021-34715

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-1657

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:

Cisco Expressway Series and Cisco TelePresence Video Communication Server Repair measures for data forgery problem vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=160755

Trust: 0.6

sources: CNNVD: CNNVD-202108-1657

EXTERNAL IDS

db:	NVD	id:	CVE-2021-34715	Trust: 1.8
db:	CNNVD	id:	CNNVD-202108-1657	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021082303	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2806	Trust: 0.6
db:	VULHUB	id:	VHN-394957	Trust: 0.1
db:	VULMON	id:	CVE-2021-34715	Trust: 0.1

sources: VULHUB: VHN-394957 // VULMON: CVE-2021-34715 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-1657 // NVD: CVE-2021-34715

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ewver-c6wzpxrx	Trust: 2.4
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2806	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021082303	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/347.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-394957 // VULMON: CVE-2021-34715 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-1657 // NVD: CVE-2021-34715

SOURCES

db:	VULHUB	id:	VHN-394957
db:	VULMON	id:	CVE-2021-34715
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-1657
db:	NVD	id:	CVE-2021-34715

LAST UPDATE DATE

2024-08-14T12:26:04.311000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-394957	date:	2021-08-25T00:00:00
db:	VULMON	id:	CVE-2021-34715	date:	2021-08-25T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-1657	date:	2021-08-26T00:00:00
db:	NVD	id:	CVE-2021-34715	date:	2023-11-07T03:36:10.637

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-394957	date:	2021-08-18T00:00:00
db:	VULMON	id:	CVE-2021-34715	date:	2021-08-18T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-1657	date:	2021-08-18T00:00:00
db:	NVD	id:	CVE-2021-34715	date:	2021-08-18T20:15:07.150