Lucene search

CiscoCVE-2021-1385

HistoryMar 24, 2021 - 8:15 p.m.

CVE-2021-1385

2021-03-2420:15:13

CWE-22

cisco

web.nvd.nist.gov

cve-2021-1385

cisco

iox

application hosting

directory traversal

remote code execution

security vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

AI Score

6.4

Confidence

High

EPSS

0.002

Percentile

56.0%

JSON

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system. This vulnerability occurs because the device does not properly validate URIs in IOx API requests. An attacker could exploit this vulnerability by sending a crafted API request that contains directory traversal character sequences to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on the underlying operating system.

Affected configurations

Nvd

Node

ciscoiosMatch15.8\(3\)m2a

ciscoiosMatch15.8\(3\)m3

ciscoiosMatch15.8\(3\)m4

ciscoiosMatch15.8\(3\)m5

ciscoiosMatch15.8\(3\)m6

ciscoiosMatch15.9\(3\)m

ciscoiosMatch15.9\(3\)m1

ciscoiosMatch15.9\(3\)m2

ciscoiosMatch15.9\(3\)m2a

ciscoiosMatch15.9\(3\)m3

ciscoios_xeMatch16.11.1

ciscoios_xeMatch16.11.1a

ciscoios_xeMatch16.11.1b

ciscoios_xeMatch16.11.1c

ciscoios_xeMatch16.11.1s

ciscoios_xeMatch16.11.2

ciscoios_xeMatch16.12.1

ciscoios_xeMatch16.12.1a

ciscoios_xeMatch16.12.1c

ciscoios_xeMatch16.12.1s

ciscoios_xeMatch16.12.1t

ciscoios_xeMatch16.12.1w

ciscoios_xeMatch16.12.1x

ciscoios_xeMatch16.12.1y

ciscoios_xeMatch16.12.1z

ciscoios_xeMatch16.12.1z1

ciscoios_xeMatch16.12.1za

ciscoios_xeMatch16.12.2

ciscoios_xeMatch16.12.2a

ciscoios_xeMatch16.12.2s

ciscoios_xeMatch16.12.2t

ciscoios_xeMatch16.12.3

ciscoios_xeMatch16.12.3a

ciscoios_xeMatch16.12.3s

ciscoios_xeMatch16.12.4

ciscoios_xeMatch16.12.4a

ciscoios_xeMatch16.12.5

ciscoios_xeMatch17.1.1

ciscoios_xeMatch17.1.1a

ciscoios_xeMatch17.1.1s

ciscoios_xeMatch17.1.1t

ciscoios_xeMatch17.1.2

ciscoios_xeMatch17.1.3

ciscoios_xeMatch17.2.1

ciscoios_xeMatch17.2.1a

ciscoios_xeMatch17.2.1r

ciscoios_xeMatch17.2.1v

ciscoios_xeMatch17.2.2

ciscoios_xeMatch17.3.1

ciscoios_xeMatch17.3.1a

ciscoios_xeMatch17.3.1w

ciscoios_xeMatch17.3.1x

ciscoios_xeMatch17.3.2

ciscoios_xeMatch17.3.2a

ciscoios_xeMatch17.4.1

ciscoios_xeMatch17.4.1a

ciscoios_xeMatch17.4.1b

VendorProductVersionCPE
ciscoios15.8(3)m2acpe:2.3:o:cisco:ios:15.8\(3\)m2a:*:*:*:*:*:*:*
ciscoios15.8(3)m3cpe:2.3:o:cisco:ios:15.8\(3\)m3:*:*:*:*:*:*:*
ciscoios15.8(3)m4cpe:2.3:o:cisco:ios:15.8\(3\)m4:*:*:*:*:*:*:*
ciscoios15.8(3)m5cpe:2.3:o:cisco:ios:15.8\(3\)m5:*:*:*:*:*:*:*
ciscoios15.8(3)m6cpe:2.3:o:cisco:ios:15.8\(3\)m6:*:*:*:*:*:*:*
ciscoios15.9(3)mcpe:2.3:o:cisco:ios:15.9\(3\)m:*:*:*:*:*:*:*
ciscoios15.9(3)m1cpe:2.3:o:cisco:ios:15.9\(3\)m1:*:*:*:*:*:*:*
ciscoios15.9(3)m2cpe:2.3:o:cisco:ios:15.9\(3\)m2:*:*:*:*:*:*:*
ciscoios15.9(3)m2acpe:2.3:o:cisco:ios:15.9\(3\)m2a:*:*:*:*:*:*:*
ciscoios15.9(3)m3cpe:2.3:o:cisco:ios:15.9\(3\)m3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	ios	15.8(3)m2a	cpe:2.3:o:cisco:ios:15.8\(3\)m2a:::::::*
cisco	ios	15.8(3)m3	cpe:2.3:o:cisco:ios:15.8\(3\)m3:::::::*
cisco	ios	15.8(3)m4	cpe:2.3:o:cisco:ios:15.8\(3\)m4:::::::*
cisco	ios	15.8(3)m5	cpe:2.3:o:cisco:ios:15.8\(3\)m5:::::::*
cisco	ios	15.8(3)m6	cpe:2.3:o:cisco:ios:15.8\(3\)m6:::::::*
cisco	ios	15.9(3)m	cpe:2.3:o:cisco:ios:15.9\(3\)m:::::::*
cisco	ios	15.9(3)m1	cpe:2.3:o:cisco:ios:15.9\(3\)m1:::::::*
cisco	ios	15.9(3)m2	cpe:2.3:o:cisco:ios:15.9\(3\)m2:::::::*
cisco	ios	15.9(3)m2a	cpe:2.3:o:cisco:ios:15.9\(3\)m2a:::::::*
cisco	ios	15.9(3)m3	cpe:2.3:o:cisco:ios:15.9\(3\)m3:::::::*

Rows per page:

1-10 of 571

CNA Affected

[
  {
    "product": "Cisco IOS",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

github.com/orangecertcc/security-research/security/advisories/GHSA-hhfw-6cm2-v3w5

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-pt-hWGcPf7g

Social References

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

AI Score

6.4

Confidence

High

EPSS

0.002

Percentile

56.0%

JSON

Related for CVE-2021-1385