External Control of File Name or Path in Cisco Systems, Inc products - CVE-2021-1306
Published: May 21, 2021
Vulnerability identifier: #VU53411
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-1306
CWE-ID: CWE-73
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Prime Infrastructure
Evolved Programmable Network (EPN) Manager
Cisco Identity Services Engine (ISE)
Cisco Prime Infrastructure
Evolved Programmable Network (EPN) Manager
Cisco Identity Services Engine (ISE)
Detailed vulnerability description
The vulnerability allows a local user to write arbitrary files.
The vulnerability exists due to improper validation of parameters that are sent to a CLI command within the restricted shell. A local user can dentify file directories on the affected device and write arbitrary files to the file system.
How to mitigate CVE-2021-1306
Install updates from vendor's website.