CVE-2021-1546

23.09.2021, 03:15

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to access sensitive information. This vulnerability is due to improper protections on file access through the CLI. An attacker could exploit this vulnerability by running a CLI command that targets an arbitrary file on the local system. A successful exploit could allow the attacker to return portions of an arbitrary file, possibly resulting in the disclosure of sensitive information.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cisco	CNA	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Vendor	Product	Version
cisco	catalyst_sd-wan_manager	18.4 ≤ 𝑥 < 20.4.2
cisco	catalyst_sd-wan_manager	20.6 ≤ 𝑥 < 20.6.1
cisco	sd-wan_vbond_orchestrator	18.4 ≤ 𝑥 < 20.4.2
cisco	sd-wan_vbond_orchestrator	20.5 ≤ 𝑥 < 20.5.2
cisco	sd-wan_vbond_orchestrator	20.6 ≤ 𝑥 < 20.6.1
cisco	sd-wan_vmanage	20.5 ≤ 𝑥 < 20.5.2
cisco	vsmart_controller_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vsmart_controller_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vsmart_controller_firmware	20.6 ≤ 𝑥 < 20.6.1
cisco	vedge_100_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vedge_100_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vedge_100_firmware	20.6 ≤ 𝑥 < 20.6.1
cisco	vedge_1000_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vedge_1000_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vedge_1000_firmware	20.6 ≤ 𝑥 < 20.6.1
cisco	vedge_100b_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vedge_100b_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vedge_100b_firmware	20.6 ≤ 𝑥 < 20.6.1
cisco	vedge_100m_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vedge_100m_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vedge_100m_firmware	20.6 ≤ 𝑥 < 20.6.1
cisco	vedge_100wm_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vedge_100wm_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vedge_100wm_firmware	20.6 ≤ 𝑥 < 20.6.1
cisco	vedge_2000_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vedge_2000_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vedge_2000_firmware	20.6 ≤ 𝑥 < 20.6.1
cisco	vedge_5000_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vedge_5000_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vedge_5000_firmware	20.6 ≤ 𝑥 < 20.6.1
cisco	vedge_cloud_firmware	18.4 ≤ 𝑥 < 20.4.2
cisco	vedge_cloud_firmware	20.5 ≤ 𝑥 < 20.5.2
cisco	vedge_cloud_firmware	20.6 ≤ 𝑥 < 20.6.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-209 - Generation of Error Message Containing Sensitive Information
The software generates an error message that includes sensitive information about its environment, users, or associated data.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-Fhqh8pKX