CVE-2021-1579
Severity CVSS v4.0:
Pending analysis
Type:
CWE-269
Improper Privilege Management
Publication date:
25/08/2021
Last modified:
07/11/2023
Description
A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an authenticated, remote attacker with Administrator read-only credentials to elevate privileges on an affected system. This vulnerability is due to an insufficient role-based access control (RBAC). An attacker with Administrator read-only credentials could exploit this vulnerability by sending a specific API request using an app with admin write credentials. A successful exploit could allow the attacker to elevate privileges to Administrator with write privileges on the affected device.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
9.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:* | 3.2\(10f\) (excluding) | |
| cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:* | 4.0 (including) | 4.2\(7l\) (excluding) |
| cpe:2.3:a:cisco:application_policy_infrastructure_controller:*:*:*:*:*:*:*:* | 5.0 (including) | 5.2\(2f\) (excluding) |
| cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:*:*:*:*:*:*:*:* | 3.2\(10f\) (excluding) | |
| cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:*:*:*:*:*:*:*:* | 4.0 (including) | 4.2\(7l\) (excluding) |
| cpe:2.3:a:cisco:cloud_application_policy_infrastructure_controller:*:*:*:*:*:*:*:* | 5.0 (including) | 5.2\(2f\) (excluding) |
To consult the complete list of CPE names with products and versions, see this page