CVE-2021-34712

EPSS 0.07%
Published 23.09.2021 03:15:17
Last modified 21.11.2024 06:11:01
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct cypher query language injection attacks on an affected system. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the interface of an affected system. A successful exploit could allow the attacker to obtain sensitive information.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Catalyst Sd-wan Manager Version >= 20.4 <= 20.4.2

Cisco ≫ Catalyst Sd-wan Manager Version20.5

Cisco ≫ Catalyst Sd-wan Manager Version20.6

Cisco ≫ Sd-wan Vmanage Version >= 20.3 < 20.3.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.191

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
psirt@cisco.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-943 Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-jOsuRJCc

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-34712

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-34712

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-34712

EUVD