CVE-2021-1612UNIX Symbolic Link (Symlink) Following in Cisco Sd-wan

CWE-61UNIX Symbolic Link (Symlink) FollowingCWE-59Link Following4 documents4 sources
Severity
7.1HIGHNVD
CNA5.5
EPSS
0.0%
top 85.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Sd-wanCisco IOS XE Sd-wan Software
Timeline
PublishedSep 23
Latest updateMay 24

Description

A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to overwrite arbitrary files on the local system. This vulnerability is due to improper access controls on files within the local file system. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on an affected device.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages2 packages

NVDcisco/sd-wan< 17.3.4

Patches

Patch: tools.cisco.comPatch: tools.cisco.com

🔴Vulnerability Details

2
GHSA
GHSA-hpj4-vj9f-q9hf: A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to overwrite arbitrary files on the local system2022-05-24
CVEList
Cisco IOS XE SD-WAN Software Arbitrary File Overwrite Vulnerability2021-09-23

📋Vendor Advisories

1
Cisco
Cisco IOS XE SD-WAN Software Arbitrary File Overwrite Vulnerability2021-09-22
CVE-2021-1612 — UNIX Symbolic Link (Symlink) Following | cvebase