Vulnerabilites related to cisco - m690x
Vulnerability from fkie_nvd
Published
2021-11-04 16:15
Modified
2024-11-21 06:11
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability in the email scanning algorithm of Cisco AsyncOS software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to perform a denial of service (DoS) attack against an affected device. This vulnerability is due to insufficient input validation of incoming emails. An attacker could exploit this vulnerability by sending a crafted email through Cisco ESA. A successful exploit could allow the attacker to exhaust all the available CPU resources on an affected device for an extended period of time, preventing other emails from being processed and resulting in a DoS condition.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*", matchCriteriaId: "415C4EC7-44E1-4C07-85F0-665A186237EC", versionEndExcluding: "13.0.4", vulnerable: true, }, { criteria: "cpe:2.3:o:cisco:asyncos:13.5.3-010:*:*:*:*:*:*:*", matchCriteriaId: "E2CCDF88-877D-4CB0-B7BD-24D317FA6F16", vulnerable: true, }, { criteria: "cpe:2.3:o:cisco:asyncos:13.7.0-093:*:*:*:*:*:*:*", matchCriteriaId: "3E94354C-6D93-4136-A4B6-5F926E02CA12", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:cisco:m170:-:*:*:*:*:*:*:*", matchCriteriaId: "1BD3B1B3-3AFD-4B4A-9FCC-F2EEFA497032", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:m190:-:*:*:*:*:*:*:*", matchCriteriaId: "A56CF47B-72C9-4590-89B0-59D43CA65894", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:m380:-:*:*:*:*:*:*:*", matchCriteriaId: "81DBE5E7-524E-458C-BA56-AA806A55ACAE", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:m390:-:*:*:*:*:*:*:*", matchCriteriaId: "5DFD07C1-F2A7-4DCE-8269-C8B3D2DE1C22", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:m390x:-:*:*:*:*:*:*:*", matchCriteriaId: "9107B3CD-A607-4C11-ACAC-ACE66DDA51F8", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:m680:-:*:*:*:*:*:*:*", matchCriteriaId: "86AFDB92-73A0-4FF1-976E-0CD9D342A712", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:m690:-:*:*:*:*:*:*:*", matchCriteriaId: "2BA39FE7-9CDA-41D3-B31D-33F9DB2FB0B0", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:m690x:-:*:*:*:*:*:*:*", matchCriteriaId: "E68E58E5-00AB-41BB-85C0-6D65359A4DA3", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:s195:-:*:*:*:*:*:*:*", matchCriteriaId: "9797CD28-48A3-45BD-BF68-F0DF6F5A5579", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:s395:-:*:*:*:*:*:*:*", matchCriteriaId: "C6D20279-8176-449A-AF4C-E2C90F370B30", vulnerable: false, }, { criteria: "cpe:2.3:h:cisco:s695:-:*:*:*:*:*:*:*", matchCriteriaId: "D9408ADA-7A8F-4528-8236-65713CF642D5", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability in the email scanning algorithm of Cisco AsyncOS software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to perform a denial of service (DoS) attack against an affected device. This vulnerability is due to insufficient input validation of incoming emails. An attacker could exploit this vulnerability by sending a crafted email through Cisco ESA. A successful exploit could allow the attacker to exhaust all the available CPU resources on an affected device for an extended period of time, preventing other emails from being processed and resulting in a DoS condition.", }, { lang: "es", value: "Una vulnerabilidad en el algoritmo de análisis del correo electrónico del software Cisco AsyncOS para Cisco Email Security Appliance (ESA) podría permitir a un atacante remoto no autenticado llevar a cabo un ataque de denegación de servicio (DoS) contra un dispositivo afectado. Esta vulnerabilidad es debido a que la comprobación de entrada de los correos electrónicos entrantes es insuficiente. Un atacante podría explotar esta vulnerabilidad mediante el envío de un correo electrónico diseñado mediante Cisco ESA. Una explotación con éxito podría permitir al atacante agotar todos los recursos de CPU disponibles en un dispositivo afectado durante un período prolongado de tiempo, impidiendo que otros correos electrónicos sean procesados y dando lugar a una condición de DoS", }, ], id: "CVE-2021-34741", lastModified: "2024-11-21T06:11:05.927", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "ykramarz@cisco.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-11-04T16:15:08.660", references: [ { source: "ykramarz@cisco.com", tags: [ "Vendor Advisory", ], url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-JOm9ETfO", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-JOm9ETfO", }, ], sourceIdentifier: "ykramarz@cisco.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-770", }, ], source: "ykramarz@cisco.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-770", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2021-34741
Vulnerability from cvelistv5
Published
2021-11-04 15:40
Modified
2024-11-07 21:44
Severity ?
EPSS score ?
Summary
A vulnerability in the email scanning algorithm of Cisco AsyncOS software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to perform a denial of service (DoS) attack against an affected device. This vulnerability is due to insufficient input validation of incoming emails. An attacker could exploit this vulnerability by sending a crafted email through Cisco ESA. A successful exploit could allow the attacker to exhaust all the available CPU resources on an affected device for an extended period of time, preventing other emails from being processed and resulting in a DoS condition.
References
▼ | URL | Tags |
---|---|---|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-JOm9ETfO | vendor-advisory, x_refsource_CISCO |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Cisco | Cisco Email Security Appliance (ESA) |
Version: n/a |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T00:19:48.129Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "20211103 Cisco Email Security Appliance Denial of Service Vulnerability", tags: [ "vendor-advisory", "x_refsource_CISCO", "x_transferred", ], url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-JOm9ETfO", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2021-34741", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-07T21:44:16.445690Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-07T21:44:52.277Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Cisco Email Security Appliance (ESA)", vendor: "Cisco", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2021-11-03T00:00:00", descriptions: [ { lang: "en", value: "A vulnerability in the email scanning algorithm of Cisco AsyncOS software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to perform a denial of service (DoS) attack against an affected device. This vulnerability is due to insufficient input validation of incoming emails. An attacker could exploit this vulnerability by sending a crafted email through Cisco ESA. A successful exploit could allow the attacker to exhaust all the available CPU resources on an affected device for an extended period of time, preventing other emails from being processed and resulting in a DoS condition.", }, ], exploits: [ { lang: "en", value: "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-770", description: "CWE-770", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-11-04T15:40:17", orgId: "d1c1063e-7a18-46af-9102-31f8928bc633", shortName: "cisco", }, references: [ { name: "20211103 Cisco Email Security Appliance Denial of Service Vulnerability", tags: [ "vendor-advisory", "x_refsource_CISCO", ], url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-JOm9ETfO", }, ], source: { advisory: "cisco-sa-esa-dos-JOm9ETfO", defect: [ [ "CSCvy59938", ], ], discovery: "INTERNAL", }, title: "Cisco Email Security Appliance Denial of Service Vulnerability", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "psirt@cisco.com", DATE_PUBLIC: "2021-11-03T16:00:00", ID: "CVE-2021-34741", STATE: "PUBLIC", TITLE: "Cisco Email Security Appliance Denial of Service Vulnerability", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Cisco Email Security Appliance (ESA)", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "Cisco", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability in the email scanning algorithm of Cisco AsyncOS software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to perform a denial of service (DoS) attack against an affected device. This vulnerability is due to insufficient input validation of incoming emails. An attacker could exploit this vulnerability by sending a crafted email through Cisco ESA. A successful exploit could allow the attacker to exhaust all the available CPU resources on an affected device for an extended period of time, preventing other emails from being processed and resulting in a DoS condition.", }, ], }, exploit: [ { lang: "en", value: "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.", }, ], impact: { cvss: { baseScore: "7.5", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-770", }, ], }, ], }, references: { reference_data: [ { name: "20211103 Cisco Email Security Appliance Denial of Service Vulnerability", refsource: "CISCO", url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-JOm9ETfO", }, ], }, source: { advisory: "cisco-sa-esa-dos-JOm9ETfO", defect: [ [ "CSCvy59938", ], ], discovery: "INTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "d1c1063e-7a18-46af-9102-31f8928bc633", assignerShortName: "cisco", cveId: "CVE-2021-34741", datePublished: "2021-11-04T15:40:17.777881Z", dateReserved: "2021-06-15T00:00:00", dateUpdated: "2024-11-07T21:44:52.277Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }