CVE-2021-1369 : A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box S

A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected device. This vulnerability is due to the improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by sending malicious requests that contain references in XML entities to an affected system. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information or causing a partial denial of service (DoS) condition on the affected device.

Published 2021-04-29 18:15:09

Updated 2021-05-05 20:27:11

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injectionDenial of service

Products affected by CVE-2021-1369

Cisco » Firepower Device Manager
Versions before (<) 6.5.0.5
cpe:2.3:a:cisco:firepower_device_manager:*:*:*:*:*:*:*:*
Matching versions
Cisco » Firepower Device Manager
Versions from including (>=) 6.6.0 and before (<) 6.6.3
cpe:2.3:a:cisco:firepower_device_manager:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-1369

EPSS FAQ

0.53%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-1369

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:P	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Partial
5.4	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L	2.8	2.5	Cisco Systems, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: Low
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L	2.8	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: Low

CWE ids for CVE-2021-1369

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: ykramarz@cisco.com (Primary)

References for CVE-2021-1369

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-xxe-zR7sxPfs

Cisco Firepower Device Manager On-Box Software XML External Entity Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2021-1369

Products affected by CVE-2021-1369

Exploit prediction scoring system (EPSS) score for CVE-2021-1369

CVSS scores for CVE-2021-1369

CWE ids for CVE-2021-1369

References for CVE-2021-1369