Lucene search

[email protected]CVE-2021-1516

HistoryMay 06, 2021 - 1:15 p.m.

CVE-2021-1516

2021-05-0613:15:10

CWE-540

[email protected]

web.nvd.nist.gov

cve-2021-1516

cisco

asyncos

content security management appliance

email security appliance

web security appliance

vulnerability

http requests

password exposure

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

52.0%

JSON

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Content Security Management Appliance (SMA), Cisco Email Security Appliance (ESA), and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability exists because confidential information is included in HTTP requests that are exchanged between the user and the device. An attacker could exploit this vulnerability by looking at the raw HTTP requests that are sent to the interface. A successful exploit could allow the attacker to obtain some of the passwords that are configured throughout the interface.

Affected configurations

NVD

Node

ciscocontent_security_management_applianceMatch-

ciscoemail_security_applianceMatch-

ciscoweb_security_applianceMatch-

AND

ciscoasyncosRange<14.0

Node

ciscoironport_web_security_applianceMatch13.6.2-023

ciscoironport_web_security_applianceMatch14.0.0-090

ciscoironport_web_security_applianceMatch14.0.0-133

ciscoironport_web_security_applianceMatch14.0.0-292

ciscoironport_web_security_applianceMatch14.0.0-300

CPENameOperatorVersion
cisco:content_security_management_appliancecisco content security management applianceeq-
cisco:email_security_appliancecisco email security applianceeq-
cisco:web_security_appliancecisco web security applianceeq-

CPE	Name	Operator	Version
cisco:content_security_management_appliance	cisco content security management appliance	eq	-
cisco:email_security_appliance	cisco email security appliance	eq	-
cisco:web_security_appliance	cisco web security appliance	eq	-

CNA Affected

[
  {
    "product": "Cisco Web Security Appliance (WSA) ",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-wsa-sma-info-gY2AEz2H

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

52.0%

JSON

Related for CVE-2021-1516

prion1 cisco1 nessus3 nvd1 cvelist1