← Back

CVE-2021-1258

nvd nist
Published: Jan 13, 2021Modified: Nov 21, 2024

JSON object

Loading...
5.5
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Exploitability: 1.8 / Impact: 3.6
Source: NVD

Description

A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the local CLI to the application. A successful exploit could allow the attacker to read arbitrary files on the underlying OS of the affected device. The attacker would need to have valid user credentials to exploit this vulnerability.

Affected (4)

Cisco
1 product
Anyconnect Secure Mobility Client
Mcafee
1 product
Agent Epolicy Orchestrator Extension
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Cisco
Anyconnect Secure Mobility Client
Before 4.9.03047
Anyconnect Secure Mobility Client
Before 4.9.03047
Anyconnect Secure Mobility Client
Before 4.9.03049
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Agent Epolicy Orchestrator Extension
Before 5.7.6
Running on/withPlatform Versions
Microsoft
Windows
All versions

Related CWEs

CWE-264
CWE-264
CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

Source: psirt@cisco.com
Third Party Advisory
Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.