CVE-2021-1227

Published: Feb 24, 2021Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the NX-API on an affected device. An attacker could exploit this vulnerability by persuading a user of the NX-API to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. The attacker could view and modify the device configuration. Note: The NX-API feature is disabled by default.

Affected (5)

Products: Cisco: Nx Os

Cisco

1 product

Nx Os

Configuration A

3 vulnerable · 6 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	Version 8.4(2a)
Cisco Nx Os	Version 8.4(3)
Cisco Nx Os	Version 8.4(3)s19

Running on/with	Platform Versions
Cisco Mds 9148s	All versions
Cisco Mds 9250i	All versions
Cisco Mds 9706	All versions
Cisco Mds 9710	All versions
Cisco Nexus 7000	All versions
Cisco Nexus 7700	All versions

Configuration B

1 vulnerable · 27 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	Version 9.3(3)idi9(0.569)

Running on/with	Platform Versions
Cisco Nexus 3048	All versions
Cisco Nexus 31108pv V	All versions
Cisco Nexus 31108tc V	All versions
Cisco Nexus 31128pq	All versions
Cisco Nexus 3132c Z	All versions
Cisco Nexus 3132q V	All versions
Cisco Nexus 3132q X	All versions
Cisco Nexus 3132q Xl	All versions
Cisco Nexus 3164q	All versions
Cisco Nexus 3172pq	All versions
Cisco Nexus 3172pq Xl	All versions
Cisco Nexus 3232c	All versions
Cisco Nexus 3264c E	All versions
Cisco Nexus 3264q	All versions
Cisco Nexus 3408 S	All versions
Cisco Nexus 34180yc	All versions
Cisco Nexus 3432d S	All versions
Cisco Nexus 3464c	All versions
Cisco Nexus 3524 X	All versions
Cisco Nexus 3524 Xl	All versions
Cisco Nexus 3548 X	All versions
Cisco Nexus 3548 Xl	All versions
Cisco Nexus 36180yc R	All versions
Cisco Nexus 3636c R	All versions
Cisco Nexus 9200	All versions
Cisco Nexus 9300	All versions
Cisco Nexus 9500	All versions

Configuration C

1 vulnerable · 12 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	Version 7.3(8)n1(0.809)

Running on/with	Platform Versions
Cisco Nexus 5548p	All versions
Cisco Nexus 5548up	All versions
Cisco Nexus 5596t	All versions
Cisco Nexus 5596up	All versions
Cisco Nexus 56128p	All versions
Cisco Nexus 5624q	All versions
Cisco Nexus 5648q	All versions
Cisco Nexus 5672up	All versions
Cisco Nexus 5672up 16g	All versions
Cisco Nexus 5696q	All versions
Cisco Nexus 6001	All versions
Cisco Nexus 6004	All versions

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-csrf-wRMzWL9z

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-csrf-wRMzWL9z

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.