[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cisco Security Advisory: Cisco Prime Infrastructure and Evolved Programmable Network Manager Authentication Bypass API Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cisco Security Advisory: Cisco Prime Infrastructure and Evolved Programmable Network Manager Authentication Bypass API Vulnerability
From: Cisco Systems Product Security Incident Response Team <psirt@xxxxxxxxx>
Date: Wed, 29 Jun 2016 12:33:27 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Prime Infrastructure and Evolved Programmable Network Manager 
Authentication Bypass API Vulnerability

Advisory ID: cisco-sa-20160629-piauthbypass

Revision 1.0

For Public Release 2016 June 29 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A vulnerability in the application programming interface (API) of Cisco Prime 
Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could 
allow an unauthenticated, remote attacker to access and control the API 
resources.

The vulnerability is due to improper input validation of HTTP requests for 
unauthenticated URIs. An attacker could exploit this vulnerability by sending a 
crafted HTTP request to the affected URIs. Successful exploitation of this 
vulnerability could allow the attacker to upload malicious code to the 
application server or read unauthorized management data, such as credentials of 
devices managed by Cisco Prime Infrastructure or EPNM.

Cisco has released software updates that address this vulnerability. There are 
no workarounds that address this vulnerability.  

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160629-piauthbypass

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBV2qsA689gD3EAJB5AQLphxAArGXxMxb0qLM5w73zZSZS5iuqQffoaoRC
ZPmuUgErAnyO+OlLsco5qfFxEwCWrBQMQEZZie6LlqlArU+Q5H73aKC4orYnu2o0
avEwR1YkFGcLNbZKp/Bvtzhy7Etd3bR/OnSFkfsg/2Qgkx77zQke5vXwjNtuaMtX
RtXYDh65TvpkegxD2Kb4tMZWLKxsH2tV8oBuuDT+m0h7PwSo4n+Ot2u0IbW1dDjn
AXk/8j4qUzA9iC+nFtTY/ulkWZIX1RHnjk/z+070tSvlsbPhcjJiPZT866+RUAms
lQYoINSo045owXFtQv3CiOge8k5bdxaFsnP944Jg8I+huDvmHXg5uPpIEG7cOKQ1
ZM6n+yw3aQkqDgPRNiAiMwnOrVPFvXIwDFQxe5Otij6WY5Npd1FogBfW/1n/akey
IVoEQ4Xz3cR72yrv0Xu5nt2C9GX1uByID82Eq1XF9VeI74yFpNupjzCgPwkxyhsM
+M1gj+9teD42wUtEV92mAtmRiEBeVBKUnnYcDpOYOr5CbSretlyQm++0FbJS2Xrb
22TWTkWWMlOd7L+msb0sOOdlVC5h01aKnfyNfVsBcRhKVcfsfxljomR6V8GZWdW2
DTR1A4f5+rcuJBBlnNxE0tm1Wbvsed7N/0M92aELK13oLmz9lOw5aUZ/X3bhP/ko
iZ6ZrVNwhyQ=
=F9QW
-----END PGP SIGNATURE-----

Prev by Date: Cisco Security Advisory: Cisco Prime Collaboration Provisioning Lightweight Directory Access Protocol Authentication Bypass Vulnerability
Next by Date: [SECURITY] [DSA 3609-1] tomcat8 security update
Previous by thread: Cisco Security Advisory: Cisco Prime Collaboration Provisioning Lightweight Directory Access Protocol Authentication Bypass Vulnerability
Next by thread: [SECURITY] [DSA 3609-1] tomcat8 security update
Index(es):
- Date
- Thread