漏洞标题
Cisco Identity Services Engine XML 外部实体注入漏洞
漏洞描述信息
思科身份服务引擎XML外部实体注入漏洞
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
漏洞类别
N/A
漏洞标题
Cisco Identity Services Engine XML External Entity Injection Vulnerability
漏洞描述信息
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
漏洞类别
XML外部实体引用的不恰当限制(XXE)
漏洞标题
Cisco Identity Services Engine 代码问题漏洞
漏洞描述信息
Cisco Identity Services Engine(ISE)是美国思科(Cisco)公司的一款环境感知平台(ISE身份服务引擎)。该平台通过收集网络、用户和设备中的实时信息,制定并实施相应策略来监管网络。 Cisco Identity Services Engine (ISE) 3.2 及之前版本存在安全漏洞,该漏洞源于在解析某些 XML 文件时对 XML 外部实体 (XXE) 条目的处理不当,允许经过身份验证的远程攻击者访问敏感信息,通过受影响的设备进行服务器端请求伪造 (SSRF) 攻击。
CVSS信息
N/A
漏洞类别
代码问题