Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-1594

Incorrect Privilege Assignment

Published: Oct 06, 2021 | Modified: Nov 21, 2024
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
9.3 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-1594
CWEhttps://cwe.mitre.org/data/definitions/266.html

A vulnerability in the REST API of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform a command injection attack and elevate privileges to root. This vulnerability is due to insufficient input validation for specific API endpoints. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting and modifying specific internode communications from one ISE persona to another ISE persona. A successful exploit could allow the attacker to run arbitrary commands with root privileges on the underlying operating system. To exploit this vulnerability, the attacker would need to decrypt HTTPS traffic between two ISE personas that are located on separate nodes.

Weakness

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Identity_services_engine Cisco 2.4.0 (including) 2.6.0 (excluding)
Identity_services_engine Cisco 2.4(0.902) (including) 2.4(0.902) (including)
Identity_services_engine Cisco 2.6(0.156) (including) 2.6(0.156) (including)
Identity_services_engine Cisco 2.6.0 (including) 2.6.0 (including)
Identity_services_engine Cisco 2.6.0-patch1 (including) 2.6.0-patch1 (including)
Identity_services_engine Cisco 2.6.0-patch2 (including) 2.6.0-patch2 (including)
Identity_services_engine Cisco 2.6.0-patch3 (including) 2.6.0-patch3 (including)
Identity_services_engine Cisco 2.6.0-patch5 (including) 2.6.0-patch5 (including)
Identity_services_engine Cisco 2.6.0-patch6 (including) 2.6.0-patch6 (including)
Identity_services_engine Cisco 2.6.0-patch7 (including) 2.6.0-patch7 (including)
Identity_services_engine Cisco 2.6.0-patch8 (including) 2.6.0-patch8 (including)
Identity_services_engine Cisco 2.6.0-patch9 (including) 2.6.0-patch9 (including)
Identity_services_engine Cisco 2.7(0.903) (including) 2.7(0.903) (including)
Identity_services_engine Cisco 2.7.0 (including) 2.7.0 (including)
Identity_services_engine Cisco 2.7.0-patch1 (including) 2.7.0-patch1 (including)
Identity_services_engine Cisco 2.7.0-patch2 (including) 2.7.0-patch2 (including)
Identity_services_engine Cisco 2.7.0-patch3 (including) 2.7.0-patch3 (including)
Identity_services_engine Cisco 2.7.0-patch4 (including) 2.7.0-patch4 (including)
Identity_services_engine Cisco 3.0(0.458) (including) 3.0(0.458) (including)
Identity_services_engine Cisco 3.0.0 (including) 3.0.0 (including)
Identity_services_engine Cisco 3.0.0-patch1 (including) 3.0.0-patch1 (including)
Identity_services_engine Cisco 3.0.0-patch2 (including) 3.0.0-patch2 (including)
Identity_services_engine Cisco 3.0.0-patch3 (including) 3.0.0-patch3 (including)
Identity_services_engine Cisco 3.1(0.440) (including) 3.1(0.440) (including)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use