// For flags

CVE-2021-34762

Cisco Firepower Management Center Software Authenticated Directory Traversal Vulnerability

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to perform a directory traversal attack on an affected device. The attacker would require valid device credentials. The vulnerability is due to insufficient input validation of the HTTPS URL by the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTPS request that contains directory traversal character sequences to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on the device.

Una vulnerabilidad en la interfaz de administración basada en la web del software Cisco Firepower Management Center (FMC) podría permitir a un atacante remoto autenticado llevar a cabo un ataque de salto de directorio en un dispositivo afectado. El atacante necesitaría credenciales válidas del dispositivo. La vulnerabilidad es debido a una insuficiente comprobación de entrada de la URL HTTPS por parte de la interfaz de administración basada en web. Un atacante podría explotar esta vulnerabilidad mediante el envío de una petición HTTPS diseñada que contenga secuencias de caracteres de salto de directorio a un dispositivo afectado. Una explotación con éxito podría permitir al atacante leer o escribir archivos arbitrarios en el dispositivo

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2021-06-15 CVE Reserved
  • 2021-10-27 CVE Published
  • 2024-01-19 EPSS Updated
  • 2024-11-07 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-26: Path Traversal: '/dir/../filename'
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
6.2.3
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "6.2.3"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
6.4.0
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "6.4.0"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
6.5.0
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "6.5.0"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
6.6.1
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "6.6.1"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
6.6.2
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "6.6.2"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
6.6.3
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "6.6.3"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
6.6.4
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "6.6.4"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
6.7.0
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "6.7.0"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
7.0.0
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "7.0.0"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Management Center Virtual Appliance
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance"
7.1.0
Search vendor "Cisco" for product "Firepower Management Center Virtual Appliance" and version "7.1.0"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Threat Defense
Search vendor "Cisco" for product "Firepower Threat Defense"
< 6.4.0.13
Search vendor "Cisco" for product "Firepower Threat Defense" and version " < 6.4.0.13"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Threat Defense
Search vendor "Cisco" for product "Firepower Threat Defense"
>= 6.5.0 < 6.6.5
Search vendor "Cisco" for product "Firepower Threat Defense" and version " >= 6.5.0 < 6.6.5"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Threat Defense
Search vendor "Cisco" for product "Firepower Threat Defense"
>= 6.7.0 < 6.7.0.3
Search vendor "Cisco" for product "Firepower Threat Defense" and version " >= 6.7.0 < 6.7.0.3"
-
Affected
Cisco
Search vendor "Cisco"
Firepower Threat Defense
Search vendor "Cisco" for product "Firepower Threat Defense"
>= 7.0.0 < 7.0.1
Search vendor "Cisco" for product "Firepower Threat Defense" and version " >= 7.0.0 < 7.0.1"
-
Affected
Cisco
Search vendor "Cisco"
Sourcefire Defense Center
Search vendor "Cisco" for product "Sourcefire Defense Center"
6.2.3
Search vendor "Cisco" for product "Sourcefire Defense Center" and version "6.2.3"
-
Affected
Cisco
Search vendor "Cisco"
Sourcefire Defense Center
Search vendor "Cisco" for product "Sourcefire Defense Center"
6.4.0
Search vendor "Cisco" for product "Sourcefire Defense Center" and version "6.4.0"
-
Affected
Cisco
Search vendor "Cisco"
Sourcefire Defense Center
Search vendor "Cisco" for product "Sourcefire Defense Center"
6.5.0
Search vendor "Cisco" for product "Sourcefire Defense Center" and version "6.5.0"
-
Affected
Cisco
Search vendor "Cisco"
Sourcefire Defense Center
Search vendor "Cisco" for product "Sourcefire Defense Center"
6.6.1
Search vendor "Cisco" for product "Sourcefire Defense Center" and version "6.6.1"
-
Affected
Cisco
Search vendor "Cisco"
Sourcefire Defense Center
Search vendor "Cisco" for product "Sourcefire Defense Center"
6.6.2
Search vendor "Cisco" for product "Sourcefire Defense Center" and version "6.6.2"
-
Affected
Cisco
Search vendor "Cisco"
Sourcefire Defense Center
Search vendor "Cisco" for product "Sourcefire Defense Center"
6.6.3
Search vendor "Cisco" for product "Sourcefire Defense Center" and version "6.6.3"
-
Affected
Cisco
Search vendor "Cisco"
Sourcefire Defense Center
Search vendor "Cisco" for product "Sourcefire Defense Center"
6.6.4
Search vendor "Cisco" for product "Sourcefire Defense Center" and version "6.6.4"
-
Affected
Cisco
Search vendor "Cisco"
Sourcefire Defense Center
Search vendor "Cisco" for product "Sourcefire Defense Center"
7.0.0
Search vendor "Cisco" for product "Sourcefire Defense Center" and version "7.0.0"
-
Affected