CVE-2021-1247
published 2021-01-20CVE-2021-1247: Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.90%
77.1th percentile
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_data_center_network_manager | — | — |
| cisco | data_center_network_manager | < 11.5\(1\) | 11.5\(1\) |
| cisco | data_center_network_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is SQL Injection (CWE-89) via authenticated REST API endpoints of Cisco DCNM; monitor for anomalous or malformed SQL payloads in REST API requests to DCNM. ↗
- →Track Cisco bug IDs CSCvv82432 and CSCvv82433 for patch status and internal vendor indicators associated with these SQL injection vulnerabilities. ↗
- ·Exploitation requires the attacker to be authenticated; unauthenticated access alone is insufficient to trigger these SQL injection vulnerabilities. ↗
- ·No workarounds exist for these vulnerabilities; only vendor-supplied software updates remediate the issue. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_cisco8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f5hw-7588-79hg: Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to ex
ghsa_unreviewed·2022-05-24
CVE-2021-1247 [HIGH] CWE-89 GHSA-f5hw-7588-79hg: Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to ex
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco
Cisco Data Center Network Manager SQL Injection Vulnerabilities
vendor_cisco·2021-01-20·CVSS 8.8
CVE-2021-1247 [HIGH] CWE-89 Cisco Data Center Network Manager SQL Injection Vulnerabilities
Cisco Data Center Network Manager SQL Injection Vulnerabilities
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-sql-inj-OAQOObP
Cisco
Cisco Data Center Network Manager SQL Injection Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2021-1247 Cisco Data Center Network Manager SQL Injection Vulnerabilities
CVE-2021-1247: Cisco Data Center Network Manager SQL Injection Vulnerabilities
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-89, CWE-89
Bug IDs: CSCvv82432, CSCvv82433, CSCvv82432, CSCvv82433
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-01-20
Published