// For flags

CVE-2021-1438

Cisco Wide Area Application Services Software Information Disclosure Vulnerability

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

A vulnerability in Cisco Wide Area Application Services (WAAS) Software could allow an authenticated, local attacker to gain access to sensitive information on an affected device. The vulnerability is due to improper input validation and authorization of specific commands that a user can execute within the CLI. An attacker could exploit this vulnerability by authenticating to an affected device and issuing a specific set of commands. A successful exploit could allow the attacker to read arbitrary files that they originally did not have permissions to access.

Una vulnerabilidad en el software Cisco Wide Area Application Services (WAAS) podría permitir a un atacante local autenticado conseguir acceso a información confidencial en un dispositivo afectado. La vulnerabilidad es debido a una comprobación inapropiada de la entrada y una autorización de comandos específicos que un usuario puede ejecutar dentro de la CLI. Un atacante podría explotar esta vulnerabilidad al autenticarse en un dispositivo afectado y emitir un ajuste específico de comandos. Una explotación con éxito podría permitir al atacante leer archivos arbitrarios a los que originalmente no tenían permiso para acceder

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2020-11-13 CVE Reserved
  • 2021-05-06 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-11-08 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Wide Area Application Services
Search vendor "Cisco" for product "Wide Area Application Services"
<= 6.4.5a
Search vendor "Cisco" for product "Wide Area Application Services" and version " <= 6.4.5a"
-
Affected