CVE-2021-1132

Path Traversal: '.../...//' (CWE-35)

Published: Nov 18, 2024 / Updated: 1d ago

010
CVSS 5.3No EPSS yetMedium
CVE info copied to clipboard

A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data. This vulnerability exists because the web-management interface and certain HTTP-based APIs do not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2021-1132. See article

Mar 3, 2021 at 4:03 PM / tools.cisco.com
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 18, 2024 at 3:50 PM
CVE Assignment

NVD published the first details for CVE-2021-1132

Nov 18, 2024 at 4:15 PM
CVSS

A CVSS base score of 5.3 has been assigned.

Nov 18, 2024 at 4:20 PM / nvd
Static CVE Timeline Graph

Affected Systems

Cisco/network_services_orchestrator
+null more

News

Medium - CVE-2021-1132 - A vulnerability in the API subsystem and in the...
A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data....
Cisco Network Services Orchestrator Path Traversal Vulnerability
Cisco - MEDIUM - CVE-2021-1132 A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data. This vulnerability exists because the web-management interface and certain HTTP-based APIs do not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE-2021-1132 | Cisco Network Services Orchestrator 5.3.1/5.4/5.4.0.1/5.4.0.2 API Subsystem/Web-Management Interface path traversal (cisco-sa-nso-path-trvsl-dZRQE8Lc)
A vulnerability, which was classified as problematic , was found in Cisco Network Services Orchestrator 5.3.1/5.4/5.4.0.1/5.4.0.2 . Affected is an unknown function of the component API Subsystem/Web-Management Interface . The manipulation leads to path traversal: '.../...//'. This vulnerability is traded as CVE-2021-1132 . It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2021-1132
A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data. This vulnerability exists because the web-management interface and certain HTTP-based APIs do not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Cisco Network Services Orchestrator Path Traversal VulnerabilityA vulnerabili...
A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data. A successful exploit could allow the attacker to access sensitive files on the affected system.Cisco has released software updates that address this vulnerability.
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI