// For flags

CVE-2021-1617

Cisco Intersight Virtual Appliance Vulnerabilities

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

Multiple vulnerabilities in the web-based management interface of Cisco Intersight Virtual Appliance could allow an authenticated, remote attacker to conduct a path traversal or command injection attack on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to do one or both of the following: Execute a command using crafted input Upload a file that has been altered using path traversal techniques A successful exploit could allow the attacker to read and write arbitrary files or execute arbitrary commands as root on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.

Múltiples vulnerabilidades en la interfaz de administración basada en la web de Cisco Intersight Virtual Appliance podrían permitir a un atacante remoto y autenticado conducir un ataque de salto de ruta o de inyección de comandos en un sistema afectado. Estas vulnerabilidades son debido a una comprobación de entradas insuficiente. Un atacante podría explotar estas vulnerabilidades al usar la interfaz de administración basada en la web para realizar una o ambas de las siguientes acciones: Ejecutar un comando usando una entrada diseñada. Cargar un archivo que ha sido alterado usando técnicas de salto de ruta. Una explotación con éxito podría permitir al atacante leer y escribir archivos arbitrarios o ejecutar comandos arbitrarios como root en un sistema afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Details de este aviso

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2020-11-13 CVE Reserved
  • 2021-07-22 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-11-07 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-36: Absolute Path Traversal
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Intersight Virtual Appliance
Search vendor "Cisco" for product "Intersight Virtual Appliance"
< 1.0.9-292
Search vendor "Cisco" for product "Intersight Virtual Appliance" and version " < 1.0.9-292"
-
Affected