Cisco SD-WAN vManage Software Vulnerability: SQL Injection Attacks Possible
CVE-2021-1470

4.9MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Catalyst Sd-wan Manager
Vendor
CVE Published:
15 November 2024

Summary

A vulnerability exists in the web-based management interface of Cisco's SD-WAN vManage Software, allowing authenticated remote attackers to perform SQL injection attacks. This vulnerability stems from inadequate input validation for SQL queries. By authenticating to the application, attackers can send crafted SQL queries, potentially leading to unauthorized access to modify or retrieve information from the vManage database or the operating system beneath it. Cisco recommends applying the released software updates to mitigate this issue, as no workarounds effectively address the vulnerability.

Affected Version(s)

Cisco Catalyst SD-WAN Manager 20.1.12

Cisco Catalyst SD-WAN Manager 19.2.1

Cisco Catalyst SD-WAN Manager 18.4.4

References

https://sec.cloudapps.cisco.com/security/center/content/C...
https://sec.cloudapps.cisco.com/security/center/content/C...
https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.