Details of VAR-202110-0199

ID

VAR-202110-0199

CVE

CVE-2021-34706

TITLE

Cisco Identity Services Engine Code problem vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202110-304

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker

Trust: 1.08

sources: NVD: CVE-2021-34706 // VULHUB: VHN-394948 // VULMON: CVE-2021-34706

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.1\(0.518\)	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.2\(0.149\)	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	lte	version:	3.1	Trust: 1.0

sources: NVD: CVE-2021-34706

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-34706
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-34706
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202110-304
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-394948
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-34706
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-34706
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-394948
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-34706
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-34706
baseSeverity:	MEDIUM
baseScore:	6.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-394948 // VULMON: CVE-2021-34706 // CNNVD: CNNVD-202110-304 // NVD: CVE-2021-34706 // NVD: CVE-2021-34706

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.1

sources: VULHUB: VHN-394948 // NVD: CVE-2021-34706

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-304

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202110-304

PATCH

title:	Cisco Identity Services Engine Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=164979	Trust: 0.6
title:	Cisco: Cisco Identity Services Engine XML External Entity Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-xxe-inj-V4VSjEsX	Trust: 0.1

sources: VULMON: CVE-2021-34706 // CNNVD: CNNVD-202110-304

EXTERNAL IDS

db:	NVD	id:	CVE-2021-34706	Trust: 1.8
db:	CS-HELP	id:	SB2021100706	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3316	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-304	Trust: 0.6
db:	VULHUB	id:	VHN-394948	Trust: 0.1
db:	VULMON	id:	CVE-2021-34706	Trust: 0.1

sources: VULHUB: VHN-394948 // VULMON: CVE-2021-34706 // CNNVD: CNNVD-202110-304 // NVD: CVE-2021-34706

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-xxe-inj-v4vsjesx	Trust: 2.5
url:	https://www.cybersecurity-help.cz/vdb/sb2021100706	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3316	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-34706	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/611.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-394948 // VULMON: CVE-2021-34706 // CNNVD: CNNVD-202110-304 // NVD: CVE-2021-34706

SOURCES

db:	VULHUB	id:	VHN-394948
db:	VULMON	id:	CVE-2021-34706
db:	CNNVD	id:	CNNVD-202110-304
db:	NVD	id:	CVE-2021-34706

LAST UPDATE DATE

2024-08-14T14:31:37.280000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-394948	date:	2021-10-14T00:00:00
db:	VULMON	id:	CVE-2021-34706	date:	2021-10-14T00:00:00
db:	CNNVD	id:	CNNVD-202110-304	date:	2021-10-15T00:00:00
db:	NVD	id:	CVE-2021-34706	date:	2023-11-07T03:36:08.100

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-394948	date:	2021-10-06T00:00:00
db:	VULMON	id:	CVE-2021-34706	date:	2021-10-06T00:00:00
db:	CNNVD	id:	CNNVD-202110-304	date:	2021-10-06T00:00:00
db:	NVD	id:	CVE-2021-34706	date:	2021-10-06T20:15:09.047