CVE-2021-1442Log File Information Exposure in Cisco IOS XE Software

CWE-532Log File Information Exposure4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 85.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 24
Latest updateMay 24

Description

A vulnerability in a diagnostic command for the Plug-and-Play (PnP) subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator user (level 15) on an affected device. The vulnerability is due to insufficient protection of sensitive information. An attacker with low privileges could exploit this vulnerability by issuing the diagnostic CLI show pnp profile when a specific PnP listener is enabled on the device. A successful

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe224 versions+223

🔴Vulnerability Details

2
GHSA
GHSA-m3j8-p665-6qc9: A vulnerability in a diagnostic command for the Plug-and-Play (PnP) subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to2022-05-24
CVEList
Cisco IOS XE Software Plug-and-Play Privilege Escalation Vulnerability2021-03-24

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Plug-and-Play Privilege Escalation Vulnerability2021-03-24
CVE-2021-1442 — Log File Information Exposure in Cisco | cvebase