CVE-2021-1516 — Inclusion of Sensitive Information in Source Code in Cisco WEB Security Appliance

CWE-540 — Inclusion of Sensitive Information in Source Code CWE-401 — Missing Release of Memory after Effective Lifetime5 documents5 sources

Severity

6.5MEDIUMNVD

CNA4.3

EPSS

0.3%

top 44.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco WEB Security Appliance Cisco Ironport WEB Security Appliance

Timeline

PublishedMay 6

Latest updateMay 21

Description

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Content Security Management Appliance (SMA), Cisco Email Security Appliance (ESA), and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability exists because confidential information is included in HTTP requests that are exchanged between the user and the device. An attacker could exploit this vulnerability by …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5cisco/cisco_web_security_appliancen/a

▶NVDcisco/ironport_web_security_appliance5 versions+4

🔴Vulnerability Details

GHSA

GHSA-qc7x-2qxv-wrwr: A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Content Security Management Appliance (SMA), Cisco Email Sec↗2022-05-24

▶

CVEList

Cisco Content Security Management Appliance, Email Security Appliance, and Web Security Appliance Information Disclosure Vulnerability↗2021-05-06

▶

📋Vendor Advisories

Red Hat

kernel: media: zr364xx: fix memory leak in zr364xx_start_readpipe↗2024-05-21

▶

Cisco

Cisco Content Security Management Appliance, Email Security Appliance, and Web Security Appliance Information Disclosure Vulnerability↗2021-05-05

▶