Lucene search

CiscoCVE-2021-1578

HistoryAug 25, 2021 - 8:15 p.m.

CVE-2021-1578

2021-08-2520:15:10

CWE-755

CWE-636

cisco

web.nvd.nist.gov

cve-2021-1578

cisco

apic

cloud apic

api endpoint

privilege escalation

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.003

Percentile

68.6%

JSON

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected device. This vulnerability is due to an improper policy default setting. An attacker could exploit this vulnerability by using a non-privileged credential for Cisco ACI Multi-Site Orchestrator (MSO) to send a specific API request to a managed Cisco APIC or Cloud APIC device. A successful exploit could allow the attacker to obtain Administrator credentials on the affected device.

Affected configurations

Nvd

Node

ciscoapplication_policy_infrastructure_controllerRange5.0–5.1\(3e\)

ciscoapplication_policy_infrastructure_controllerMatch5.0\(2h\)

ciscocloud_application_policy_infrastructure_controllerRange5.0–5.1\(3e\)

ciscocloud_application_policy_infrastructure_controllerMatch5.0\(2h\)

VendorProductVersionCPE
ciscoapplication_policy_infrastructure_controller*cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:*
ciscoapplication_policy_infrastructure_controller5.0(2h)cpe:2.3:a:cisco:application_policy_infrastructure_controller:5.0\(2h\):*:*:*:*:*:*:*
ciscocloud_application_policy_infrastructure_controller*cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:*:*:*:*:*:*:*:*
ciscocloud_application_policy_infrastructure_controller5.0(2h)cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:5.0\(2h\):*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	application_policy_infrastructure_controller	*	cpe:2.3:a:cisco:application_policy_infrastructure_controller::::::::
cisco	application_policy_infrastructure_controller	5.0(2h)	cpe:2.3:a:cisco:application_policy_infrastructure_controller:5.0\(2h\):::::::*
cisco	cloud_application_policy_infrastructure_controller	*	cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller::::::::
cisco	cloud_application_policy_infrastructure_controller	5.0(2h)	cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:5.0\(2h\):::::::*

CNA Affected

[
  {
    "product": "Cisco Application Policy Infrastructure Controller (APIC)",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-pesc-pkmGK4J

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.003

Percentile

68.6%

JSON

Related for CVE-2021-1578