nvd-json-data-feeds/CVE-2021/CVE-2021-15xx/CVE-2021-1522.json

{
  "id": "CVE-2021-1522",
  "sourceIdentifier": "ykramarz@cisco.com",
  "published": "2021-08-04T18:15:08.287",
  "lastModified": "2021-08-11T18:30:28.930",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with the strong authentication requirements that are configured on an affected device. This vulnerability exists because a password policy check is incomplete at the time a password is changed at server side using the API. An attacker could exploit this vulnerability by sending a specially crafted API request to the affected device. A successful exploit could allow the attacker to change their own password to a value that does not comply with the configured strong authentication requirements."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en la API de cambio de contrase\u00f1a de Cisco Connected Mobile Experiences (CMX), podr\u00eda permitir a un atacante remoto autenticado alterar su propia contrase\u00f1a a un valor que no cumpla con los requisitos de autenticaci\u00f3n fuerte que est\u00e1n configurados en un dispositivo afectado. Esta vulnerabilidad se presenta porque una comprobaci\u00f3n de la pol\u00edtica de contrase\u00f1as est\u00e1 incompleta en el momento en que se cambia una contrase\u00f1a en el lado del servidor usando la API. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n API especialmente dise\u00f1ada al dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante cambiar su propia contrase\u00f1a a un valor que no cumpla con los requisitos de autenticaci\u00f3n fuerte configurados"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4
      }
    ],
    "cvssMetricV30": [
      {
        "source": "ykramarz@cisco.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "SINGLE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-521"
        }
      ]
    },
    {
      "source": "ykramarz@cisco.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-255"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cisco:connected_mobile_experiences:10.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "46B3BCD8-4F1F-4503-9427-1787B7B5B112"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cisco:connected_mobile_experiences:10.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4548832-9572-4CBF-B77F-1A72ABAF2910"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cisco:connected_mobile_experiences:10.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B8CAC5F-18EF-446B-9A69-A5AB70EA753A"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cisco:connected_mobile_experiences:10.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0805FC9-11E5-4E04-BD4D-3C32CB220594"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmx-GkCvfd4",
      "source": "ykramarz@cisco.com",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}