ID

VAR-202110-0199


CVE

CVE-2021-34706


TITLE

Cisco Identity Services Engine Code problem vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202110-304

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker

Trust: 1.08

sources: NVD: CVE-2021-34706 // VULHUB: VHN-394948 // VULMON: CVE-2021-34706

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:3.1\(0.518\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.2\(0.149\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:lteversion:3.1

Trust: 1.0

sources: NVD: CVE-2021-34706

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-34706
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2021-34706
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202110-304
value: MEDIUM

Trust: 0.6

VULHUB: VHN-394948
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-34706
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-34706
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-394948
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-34706
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.5
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2021-34706
baseSeverity: MEDIUM
baseScore: 6.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.1
impactScore: 2.7
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-394948 // VULMON: CVE-2021-34706 // CNNVD: CNNVD-202110-304 // NVD: CVE-2021-34706 // NVD: CVE-2021-34706

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.1

sources: VULHUB: VHN-394948 // NVD: CVE-2021-34706

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-304

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202110-304

PATCH

title:Cisco Identity Services Engine Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=164979

Trust: 0.6

title:Cisco: Cisco Identity Services Engine XML External Entity Injection Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-xxe-inj-V4VSjEsX

Trust: 0.1

sources: VULMON: CVE-2021-34706 // CNNVD: CNNVD-202110-304

EXTERNAL IDS

db:NVDid:CVE-2021-34706

Trust: 1.8

db:CS-HELPid:SB2021100706

Trust: 0.6

db:AUSCERTid:ESB-2021.3316

Trust: 0.6

db:CNNVDid:CNNVD-202110-304

Trust: 0.6

db:VULHUBid:VHN-394948

Trust: 0.1

db:VULMONid:CVE-2021-34706

Trust: 0.1

sources: VULHUB: VHN-394948 // VULMON: CVE-2021-34706 // CNNVD: CNNVD-202110-304 // NVD: CVE-2021-34706

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-xxe-inj-v4vsjesx

Trust: 2.5

url:https://www.cybersecurity-help.cz/vdb/sb2021100706

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3316

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-34706

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/611.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-394948 // VULMON: CVE-2021-34706 // CNNVD: CNNVD-202110-304 // NVD: CVE-2021-34706

SOURCES

db:VULHUBid:VHN-394948
db:VULMONid:CVE-2021-34706
db:CNNVDid:CNNVD-202110-304
db:NVDid:CVE-2021-34706

LAST UPDATE DATE

2024-08-14T14:31:37.280000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-394948date:2021-10-14T00:00:00
db:VULMONid:CVE-2021-34706date:2021-10-14T00:00:00
db:CNNVDid:CNNVD-202110-304date:2021-10-15T00:00:00
db:NVDid:CVE-2021-34706date:2023-11-07T03:36:08.100

SOURCES RELEASE DATE

db:VULHUBid:VHN-394948date:2021-10-06T00:00:00
db:VULMONid:CVE-2021-34706date:2021-10-06T00:00:00
db:CNNVDid:CNNVD-202110-304date:2021-10-06T00:00:00
db:NVDid:CVE-2021-34706date:2021-10-06T20:15:09.047