// For flags

CVE-2021-1303

Cisco DNA Center Privilege Escalation Vulnerability

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the user management roles of Cisco DNA Center could allow an authenticated, remote attacker to execute unauthorized commands on an affected device. The vulnerability is due to improper enforcement of actions for assigned user roles. An attacker could exploit this vulnerability by authenticating as a user with an Observer role and executing commands on the affected device. A successful exploit could allow a user with the Observer role to execute commands to view diagnostic information of the devices that Cisco DNA Center manages.

Una vulnerabilidad en los roles de administración de usuarios de Cisco DNA Center, podría permitir a un atacante remoto autenticado ejecutar comandos no autorizados en un dispositivo afectado. La vulnerabilidad es debido a la aplicación inapropiada de acciones para los roles de usuario asignados. Un atacante podría explotar esta vulnerabilidad al autenticarse como usuario con un rol de observador y ejecutar comandos en el dispositivo afectado. Una explotación con éxito podría permitir que un usuario con el rol de Observador ejecutar comandos para visualizar información de diagnóstico de los dispositivos que administra Cisco DNA Center

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-11-13 CVE Reserved
  • 2021-01-20 CVE Published
  • 2023-06-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-266: Incorrect Privilege Assignment
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Dna Center
Search vendor "Cisco" for product "Dna Center"
 < 2.1.2.0
Search vendor "Cisco" for product "Dna Center" and version " < 2.1.2.0"
-
Affected