—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Cisco Prime Infrastructure and Evolved Programmable Network Manager Authentication Bypass API Vulnerability
Advisory ID: cisco-sa-20160629-piauthbypass
Revision 1.0
For Public Release 2016 June 29 16:00 UTC (GMT)
+———————————————————————
Summary
=======
A vulnerability in the application programming interface (API) of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to access and control the API resources.
The vulnerability is due to improper input validation of HTTP requests for unauthenticated URIs. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected URIs. Successful exploitation of this vulnerability could allow the attacker to upload malicious code to the application server or read unauthorized management data, such as credentials of devices managed by Cisco Prime Infrastructure or EPNM.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160629-piauthbypass
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.5 (SunOS)
iQIVAwUBV2qsA689gD3EAJB5AQLphxAArGXxMxb0qLM5w73zZSZS5iuqQffoaoRC
ZPmuUgErAnyO+OlLsco5qfFxEwCWrBQMQEZZie6LlqlArU+Q5H73aKC4orYnu2o0
avEwR1YkFGcLNbZKp/Bvtzhy7Etd3bR/OnSFkfsg/2Qgkx77zQke5vXwjNtuaMtX
RtXYDh65TvpkegxD2Kb4tMZWLKxsH2tV8oBuuDT+m0h7PwSo4n+Ot2u0IbW1dDjn
AXk/8j4qUzA9iC+nFtTY/ulkWZIX1RHnjk/z+070tSvlsbPhcjJiPZT866+RUAms
lQYoINSo045owXFtQv3CiOge8k5bdxaFsnP944Jg8I+huDvmHXg5uPpIEG7cOKQ1
ZM6n+yw3aQkqDgPRNiAiMwnOrVPFvXIwDFQxe5Otij6WY5Npd1FogBfW/1n/akey
IVoEQ4Xz3cR72yrv0Xu5nt2C9GX1uByID82Eq1XF9VeI74yFpNupjzCgPwkxyhsM
+M1gj+9teD42wUtEV92mAtmRiEBeVBKUnnYcDpOYOr5CbSretlyQm++0FbJS2Xrb
22TWTkWWMlOd7L+msb0sOOdlVC5h01aKnfyNfVsBcRhKVcfsfxljomR6V8GZWdW2
DTR1A4f5+rcuJBBlnNxE0tm1Wbvsed7N/0M92aELK13oLmz9lOw5aUZ/X3bhP/ko
iZ6ZrVNwhyQ=
=F9QW
—–END PGP SIGNATURE—–
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com