CVE-2021-1499

Опубликовано: 06 мая 2021

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Критический

Описание

A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.

Ссылки

http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
Vendor Advisory
http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:o:cisco:hyperflex_hx_data_platform:*:*:*:*:*:*:*:*

Версия до 4.0\(2e\) (исключая)

cpe:2.3:o:cisco:hyperflex_hx_data_platform:*:*:*:*:*:*:*:*

Версия от 4.5 (включая) до 4.5\(2a\) (исключая)

Одно из

cpe:2.3:h:cisco:hyperflex_hx220c_af_m5:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:hyperflex_hx220c_all_nvme_m5:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:hyperflex_hx220c_edge_m5:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:hyperflex_hx220c_m5:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:hyperflex_hx240c:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:hyperflex_hx240c_af_m5:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:hyperflex_hx240c_m5:-:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.9197

Критический

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-306

Связанные уязвимости

GHSA-389x-22j4-jr37

github

больше 3 лет назад

BDU:2021-03038