First published: Wed Oct 06 2021(Updated: )
A vulnerability in the web-based management interface of Cisco Intersight Virtual Appliance could allow an authenticated, remote attacker to perform a command injection attack on an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by using the web-based management interface to execute a command using crafted input. A successful exploit could allow the attacker to execute arbitrary commands using root-level privileges on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsi2-command-inject-CGyC8y2R
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Intersight Virtual Appliance | =1.0.9-150 to 1.0.9-292<1.0.9-302 | 1.0.9-302 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Cisco SA UCSI2 Command Inject CGyC8y2R is a vulnerability in the web-based management interface of Cisco Intersight Virtual Appliance that allows an authenticated, remote attacker to perform a command injection attack.
If you have an affected version of Cisco Intersight Virtual Appliance installed, an attacker could exploit this vulnerability to execute arbitrary commands on the device.
The severity of Cisco SA UCSI2 Command Inject CGyC8y2R is high, with a CVSS score of 8.8.
To fix Cisco SA UCSI2 Command Inject CGyC8y2R, upgrade to version 1.0.9-302 of Cisco Intersight Virtual Appliance or apply the appropriate remediation provided by Cisco.
CWE-20 refers to Improper Input Validation, which is the vulnerability root cause, and CWE-77 refers to Improper Neutralization of Special Elements used in a Command, which is the vulnerability type.