CVE-2021-34739

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

8.1HIGH

EPSS

0.5%

top 33.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

195

Cisco Sf500-24 Firmware Cisco Sf500-24mp Firmware Cisco Sf500-24p Firmware +192 more

Timeline

PublishedNov 4

Latest updateMay 24

Description

A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to replay valid user session credentials and gain unauthorized access to the web-based management interface of an affected device. This vulnerability is due to insufficient expiration of session credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack against an affected device to intercept valid session c…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages195 packages

▶CVEListV5cisco/cisco_small_business_smart_and_managed_switchesn/a

▶NVDcisco/sf500-24_firmware2.5.5.0 — 2.5.8.12

▶NVDcisco/sf500-48_firmware2.5.5.0 — 2.5.8.12

▶NVDcisco/sg500-28_firmware2.5.5.0 — 2.5.8.12

▶NVDcisco/sg500-52_firmware2.5.5.0 — 2.5.8.12

🔴Vulnerability Details

GHSA

GHSA-5fmw-qrmv-x2mw: A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker↗2022-05-24

▶

CVEList

Cisco Small Business Series Switches Session Credentials Replay Vulnerability↗2021-11-04

▶

📋Vendor Advisories

Cisco

Cisco Small Business Series Switches Session Credentials Replay Vulnerability↗2021-11-03

▶