Lucene search

CiscoCVE-2021-1476

HistoryApr 29, 2021 - 6:15 p.m.

CVE-2021-1476

2021-04-2918:15:09

CWE-78

cisco

web.nvd.nist.gov

cve

cisco

asa

ftd

vulnerability

cli

arbitrary command

authentication

nvd

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.2%

JSON

A vulnerability in the CLI of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input for specific commands. A successful exploit could allow the attacker to execute commands on the underlying OS with root privileges. To exploit this vulnerability, an attacker must have valid administrator-level credentials.

Affected configurations

Nvd

Node

ciscofirepower_threat_defenseRange6.5.0–6.6.4

ciscofirepower_threat_defenseRange6.7.0–6.7.0.2

ciscoadaptive_security_appliance_softwareRange9.13–9.13.1.21

ciscoadaptive_security_appliance_softwareRange9.14–9.14.2.13

ciscoadaptive_security_appliance_softwareRange9.15–9.15.1.10

VendorProductVersionCPE
ciscofirepower_threat_defense*cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software*cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	firepower_threat_defense	*	cpe:2.3:a:cisco:firepower_threat_defense::::::::
cisco	adaptive_security_appliance_software	*	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::

CNA Affected

[
  {
    "product": "Cisco Adaptive Security Appliance (ASA) Software",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-cmd-inj-SELprvG

Social References

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.2%

JSON

Related for CVE-2021-1476