Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-1258

A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the local CLI to the application. A successful exploit could allow the attacker to read arbitrary files on the underlying OS of the affected device. The attacker would need to have valid user credentials to exploit this vulnerability.

Published

2021-01-13T22:15:21.287

Last Modified

2024-11-21T05:43:56.737

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

  • Access Vector: LOCAL
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

3.9

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-264
  • Type: Primary
    CWE-269
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application cisco anyconnect_secure_mobility_client < 4.9.03047 Yes
Application cisco anyconnect_secure_mobility_client < 4.9.03047 Yes
Application cisco anyconnect_secure_mobility_client < 4.9.03049 Yes
Application mcafee agent_epolicy_orchestrator_extension < 5.7.6 Yes
Operating System microsoft windows - No
References