Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-1579

Опубликовано: 25 авг. 2021
Источник: nvd
CVSS3: 8.1
CVSS3: 8.8
CVSS2: 9
EPSS Низкий

Описание

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an authenticated, remote attacker with Administrator read-only credentials to elevate privileges on an affected system. This vulnerability is due to an insufficient role-based access control (RBAC). An attacker with Administrator read-only credentials could exploit this vulnerability by sending a specific API request using an app with admin write credentials. A successful exploit could allow the attacker to elevate privileges to Administrator with write privileges on the affected device.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:*
Версия до 3.2\(10f\) (исключая)
cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:*
Версия от 4.0 (включая) до 4.2\(7l\) (исключая)
cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:*
Версия от 5.0 (включая) до 5.2\(2f\) (исключая)
cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:*:*:*:*:*:*:*:*
Версия до 3.2\(10f\) (исключая)
cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:*:*:*:*:*:*:*:*
Версия от 4.0 (включая) до 4.2\(7l\) (исключая)
cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:*:*:*:*:*:*:*:*
Версия от 5.0 (включая) до 5.2\(2f\) (исключая)

EPSS

Процентиль: 72%
0.00729
Низкий

8.1 High

CVSS3

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-250
CWE-269

Связанные уязвимости

github логотип

GHSA-246h-5xw7-rvcg

CVSS3: 8.8
github
около 3 лет назад

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an authenticated, remote attacker with Administrator read-only credentials to elevate privileges on an affected system. This vulnerability is due to an insufficient role-based access control (RBAC). An attacker with Administrator read-only credentials could exploit this vulnerability by sending a specific API request using an app with admin write credentials. A successful exploit could allow the attacker to elevate privileges to Administrator with write privileges on the affected device.

EPSS

Процентиль: 72%
0.00729
Низкий

8.1 High

CVSS3

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-250
CWE-269