CVE-2021-34715

EPSS 0.67%
Veröffentlicht 18.08.2021 20:15:07
Zuletzt bearbeitet 21.11.2024 06:11:02
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Expressway Version <= x8.8.0

Cisco ≫ Telepresence Video Communication Server Version <= x8.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.67%	0.689

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C
psirt@cisco.com	4.7	1.2	3.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewver-c6WZPXRx

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-34715

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-34715

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-34715

EUVD