Skip to main content

Unified Computing System Central Software CVE-2021-1354

LOW
Improper Certificate Validation (CWE-295)
2021-02-04 psirt@cisco.com
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 04, 2021 - 17:15 nvd
LOW 3.5

DescriptionNVD

A vulnerability in the certificate registration process of Cisco Unified Computing System (UCS) Central Software could allow an authenticated, adjacent attacker to register a rogue Cisco Unified Computing System Manager (UCSM). This vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to the registration API. A successful exploit could allow the attacker to register a rogue Cisco UCSM and gain access to Cisco UCS Central Software data and Cisco UCSM inventory data.

AnalysisAI

A vulnerability in the certificate registration process of Cisco Unified Computing System (UCS) Central Software could allow an authenticated, adjacent attacker to register a rogue Cisco Unified. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-295. A vulnerability in the certificate registration process of Cisco Unified Computing System (UCS) Central Software could allow an authenticated, adjacent attacker to register a rogue Cisco Unified Computing System Manager (UCSM). This vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to the registration API. A successful exploit could allow the attacker to register a rogue Cisco UCSM and gain access to Cisco UCS Central Software data and Cisco UCSM inventory data. Affected products include: Cisco Unified Computing System Central Software.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2015-0701 CRITICAL
10.0 May 07

Cisco UCS Central Software before 1.3(1a) allows remote attackers to execute arbitrary commands via a crafted HTTP reque

CVE-2016-1352 CRITICAL
9.8 Apr 14

Cisco Unified Computing System (UCS) Central Software 1.3(1b) and earlier allows remote attackers to execute arbitrary O

CVE-2018-0113 HIGH
8.8 Feb 08

A vulnerability in an operations script of Cisco UCS Central could allow an authenticated, remote attacker to execute ar

CVE-2018-0094 HIGH
7.5 Jan 18

A vulnerability in IPv6 ingress packet processing for Cisco UCS Central Software could allow an unauthenticated, remote

CVE-2014-0730 MEDIUM
6.8 Feb 22

Cisco Unified Computing System (UCS) Central Software 1.1 and earlier allows local users to gain privileges via a CLI co

CVE-2016-1401 MEDIUM
6.1 May 21

Cross-site scripting (XSS) vulnerability in the management interface in Cisco Unified Computing System (UCS) Central Sof

CVE-2017-12349 MEDIUM
5.4 Nov 30

Multiple vulnerabilities in the web-based management interface of Cisco UCS Central Software could allow a remote attack

CVE-2017-12348 MEDIUM
5.4 Nov 30

Multiple vulnerabilities in the web-based management interface of Cisco UCS Central Software could allow a remote attack

CVE-2015-6388 MEDIUM
5.0 Dec 05

Cisco Unified Computing System (UCS) Central software 1.3(0.1) allows remote attackers to conduct server-side request fo

CVE-2015-4286 MEDIUM
5.0 Jul 29

The web framework in Cisco UCS Central Software 1.3(0.99) allows remote attackers to read arbitrary files via a crafted

CVE-2015-6387 MEDIUM
4.3 Dec 05

Cross-site scripting (XSS) vulnerability in Cisco Unified Computing System (UCS) Central Software 1.3(0.1) allows remote

Share

CVE-2021-1354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy