Cisco ACI Multi-Site Orchestrator Application Services Engine Deployment Authentication Bypass Vulnerability
CVE-2021-1388

10CRITICAL

Key Information:

Vendor: Cisco
Status: Cisco Aci Multi-site Orchestrator Software
Vendor: CVE Published:; 24 February 2021

Badges

👾 Exploit Exists

Summary

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

Affected Version(s)

Cisco ACI Multi-Site Orchestrator Software

References

https://tools.cisco.com/security/center/content/CiscoSecu...

vendor-advisoryx_refsource_CISCO

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

👾
Exploit known to exist
Aug 3, 2024
Vulnerability published
Feb 24, 2021
Vulnerability Reserved
Nov 13, 2020