CVE-2021-40113

Published: Nov 4, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory.

Affected (5)

Products: Cisco: Catalyst Pon Switch Cgp Ont 1p Firmware, Catalyst Pon Switch Cgp Ont 4p Firmware, Catalyst Pon Switch Cgp Ont 4pvc Firmware, Catalyst Pon Switch Cgp Ont 4tvcw Firmware, Catalyst Pon Switch Cgp Ont 4pv Firmware

Cisco

5 products

Catalyst Pon Switch Cgp Ont 1p Firmware

Catalyst Pon Switch Cgp Ont 4p Firmware

Catalyst Pon Switch Cgp Ont 4pvc Firmware

Catalyst Pon Switch Cgp Ont 4tvcw Firmware

Catalyst Pon Switch Cgp Ont 4pv Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Catalyst Pon Switch Cgp Ont 1p Firmware	Before 1.1.1.14

Running on/with	Platform Versions
Cisco Catalyst Pon Switch Cgp Ont 1p	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Catalyst Pon Switch Cgp Ont 4p Firmware	Before 1.1.3.17

Running on/with	Platform Versions
Cisco Catalyst Pon Switch Cgp Ont 4p	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Catalyst Pon Switch Cgp Ont 4pvc Firmware	Before 1.1.3.17

Running on/with	Platform Versions
Cisco Catalyst Pon Switch Cgp Ont 4pvc	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Catalyst Pon Switch Cgp Ont 4tvcw Firmware	Before 1.1.3.17

Running on/with	Platform Versions
Cisco Catalyst Pon Switch Cgp Ont 4tvcw	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Catalyst Pon Switch Cgp Ont 4pv Firmware	Before 1.1.3.17

Running on/with	Platform Versions
Cisco Catalyst Pon Switch Cgp Ont 4pv	All versions

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catpon-multivulns-CE3DSYGr

Source: psirt@cisco.com

PatchVendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catpon-multivulns-CE3DSYGr

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.