Absolute Path Traversal in Cisco Systems, Inc products - CVE-2021-34711
Published: October 7, 2021
Vulnerability identifier: #VU57111
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-34711
CWE-ID: CWE-36
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IP Conference Phone 7832
Cisco IP Conference Phone 8832
Cisco IP Phone 8800 Series
Cisco Wireless IP Phone 8821
IP Phone 7800 Series
Cisco IP Conference Phone 7832
Cisco IP Conference Phone 8832
Cisco IP Phone 8800 Series
Cisco Wireless IP Phone 8821
IP Phone 7800 Series
Detailed vulnerability description
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A local user can provide a specially crafted input to a debug shell command and read arbitrary files on the system.
How to mitigate CVE-2021-34711
Install update from vendor's website.