// For flags

CVE-2021-34782

Cisco DNA Center Information Disclosure Vulnerability

Severity Score

4.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application.

Una vulnerabilidad en los endpoints de la API para Cisco DNA Center podría permitir a un atacante remoto autenticado conseguir acceso a información confidencial que debería estar restringida. El atacante debe tener credenciales válidas en el dispositivo. Esta vulnerabilidad es debido a controles de acceso inapropiados en los endpoints de la API. Un atacante podría explotar la vulnerabilidad mediante el envío de una petición específica de la API a una aplicación afectada. Una explotación con éxito podría permitir al atacante conseguir información confidencial sobre otros usuarios que están configurados con privilegios más altos en la aplicación

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-06-15 CVE Reserved
  • 2021-10-06 CVE Published
  • 2023-04-29 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-202: Exposure of Sensitive Information Through Data Queries
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Dna Center
Search vendor "Cisco" for product "Dna Center"
 < 2.2.2.5
Search vendor "Cisco" for product "Dna Center" and version " < 2.2.2.5"
-
Affected
Cisco
Search vendor "Cisco"
 Dna Center
Search vendor "Cisco" for product "Dna Center"
 >= 2.2.3.0 < 2.2.3.3
Search vendor "Cisco" for product "Dna Center" and version " >= 2.2.3.0 < 2.2.3.3"
-
Affected