Lucene search

[email protected]CVE-2021-1306

HistoryMay 22, 2021 - 7:15 a.m.

CVE-2021-1306

2021-05-2207:15:07

CWE-73

CWE-610

[email protected]

web.nvd.nist.gov

cve-2021-1306

vulnerability

cisco

epn manager

ise

prime infrastructure

authenticated

local attacker

file system

cli commands

3.6 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:P/A:N

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

4.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

A vulnerability in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to identify directories and write arbitrary files to the file system. This vulnerability is due to improper validation of parameters that are sent to a CLI command within the restricted shell. An attacker could exploit this vulnerability by logging in to the device and issuing certain CLI commands. A successful exploit could allow the attacker to identify file directories on the affected device and write arbitrary files to the file system on the affected device. To exploit this vulnerability, the attacker must be an authenticated shell user.

Affected configurations

NVD

Node

ciscoevolved_programmable_network_managerRange<5.0.1

ciscoidentity_services_engineRange<2.7.0

ciscoidentity_services_engineMatch2.7.0-

ciscoidentity_services_engineMatch2.7.0patch2

ciscoidentity_services_engineMatch3.0.0-

ciscoidentity_services_engineMatch3.0.0patch1

ciscoprime_infrastructureRange<3.8.1

ciscoprime_infrastructureMatch3.8.1-

CPENameOperatorVersion
cisco:evolved_programmable_network_managercisco evolved programmable network managerlt5.0.1
cisco:identity_services_enginecisco identity services enginelt2.7.0
cisco:identity_services_enginecisco identity services engineeq3.0.0
cisco:prime_infrastructurecisco prime infrastructurelt3.8.1

CPE	Name	Operator	Version
cisco:evolved_programmable_network_manager	cisco evolved programmable network manager	lt	5.0.1
cisco:identity_services_engine	cisco identity services engine	lt	2.7.0
cisco:identity_services_engine	cisco identity services engine	eq	3.0.0
cisco:prime_infrastructure	cisco prime infrastructure	lt	3.8.1

CNA Affected

[
  {
    "product": "Cisco Identity Services Engine Software ",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ade-xcvAQEOZ

3.6 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:P/A:N

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

4.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for CVE-2021-1306

nvd1 nessus2 prion1 cisco1 cvelist1