CVE-2021-34782

A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncS	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:dna_center::::::::
	cpe:2.3:a:cisco:dna_center::::::::

History

14 Oct 2021, 19:14

Type	Values Removed	Values Added
CWE		NVD-CWE-Other
References	~~(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncS -~~	(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncS - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.0 v3 : 4.3
CPE		cpe:2.3:a:cisco:dna_center::::::::

06 Oct 2021, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-10-06 20:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-34782

Mitre link : CVE-2021-34782

CVE.ORG link : CVE-2021-34782

JSON object : View

Products Affected

cisco

dna_center

CWE

NVD-CWE-Other CWE-202

Exposure of Sensitive Information Through Data Queries

{"id": "CVE-2021-34782", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-10-06T20:15:18.677", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncS", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-202"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application."}, {"lang": "es", "value": "Una vulnerabilidad en los endpoints de la API para Cisco DNA Center podr\u00eda permitir a un atacante remoto autenticado conseguir acceso a informaci\u00f3n confidencial que deber\u00eda estar restringida. El atacante debe tener credenciales v\u00e1lidas en el dispositivo. Esta vulnerabilidad es debido a controles de acceso inapropiados en los endpoints de la API. Un atacante podr\u00eda explotar la vulnerabilidad mediante el env\u00edo de una petici\u00f3n espec\u00edfica de la API a una aplicaci\u00f3n afectada. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante conseguir informaci\u00f3n confidencial sobre otros usuarios que est\u00e1n configurados con privilegios m\u00e1s altos en la aplicaci\u00f3n"}], "lastModified": "2023-11-07T03:36:24.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:dna_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50E90585-0B10-4C39-93D6-3A87F64D6DF3", "versionEndExcluding": "2.2.2.5"}, {"criteria": "cpe:2.3:a:cisco:dna_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1C06ACF-9D47-4DBC-BE38-4FB5FA0770D5", "versionEndExcluding": "2.2.3.3", "versionStartIncluding": "2.2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}