CVE-2021-34712 – Cisco SD-WAN vManage Software Cypher Query Language Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-34712
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct cypher query language injection attacks on an affected system. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the interface of an affected system. A successful exploit could allow the attacker to obtain sensitive information. Una vulnerabilidad en la interfaz de administración basada en la web de Cisco SD-WAN vManage Software podría permitir a un atacante remoto autenticado realizar ataques de inyección de lenguaje de consulta cifrado en un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-jOsuRJCc • CWE-943: Improper Neutralization of Special Elements in Data Query Logic •
CVE-2021-34700 – Cisco SD-WAN vManage Software Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-34700
A vulnerability in the CLI interface of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read arbitrary files on the underlying file system of an affected system. This vulnerability exists because access to sensitive information on an affected system is not sufficiently controlled. An attacker could exploit this vulnerability by gaining unauthorized access to sensitive information on an affected system. A successful exploit could allow the attacker to create forged authentication requests and gain unauthorized access to the web UI of an affected system. Una vulnerabilidad en la interfaz CLI del software Cisco SD-WAN vManage podría permitir a un atacante local autenticado leer archivos arbitrarios en el sistema de archivos subyacente de un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vmanage-infdis-LggOP9sE • CWE-522: Insufficiently Protected Credentials •
CVE-2021-1535 – Cisco SD-WAN vManage Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-1535
A vulnerability in the cluster management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. To be affected by this vulnerability, the Cisco SD-WAN vManage Software must be in cluster mode. This vulnerability is due to the absence of authentication for sensitive information in the cluster management interface. An attacker could exploit this vulnerability by sending a crafted request to the cluster management interface of an affected system. A successful exploit could allow the attacker to allow the attacker to view sensitive information on the affected system. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vmanageinfdis-LKrFpbv • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVE-2021-1515 – Cisco SD-WAN vManage Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-1515
A vulnerability in Cisco SD-WAN vManage Software could allow an unauthenticated, adjacent attacker to gain access to sensitive information. This vulnerability is due to improper access controls on API endpoints when Cisco SD-WAN vManage Software is running in multi-tenant mode. An attacker with access to a device that is managed in the multi-tenant environment could exploit this vulnerability by sending a request to an affected API endpoint on the vManage system. A successful exploit could allow the attacker to gain access to sensitive information that may include hashed credentials that could be used in future attacks. Una vulnerabilidad en Cisco SD-WAN vManage Software, podría permitir a un atacante adyacente no autenticado conseguir acceso a información confidencial. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage-9VZO4gfU • CWE-284: Improper Access Control •
CVE-2021-1514 – Cisco SD-WAN Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-1514
A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with Administrator privileges on the underlying operating system. This vulnerability is due to insufficient input validation on certain CLI commands. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as a low-privileged user to execute the affected commands. A successful exploit could allow the attacker to execute commands with Administrator privileges. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-QVszVUPy • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •