漏洞标题
N/A
漏洞描述信息
Cisco ISE 的 ERS API 中的一个漏洞可能导致已验证的远程攻击者访问受影响设备底层操作系统中的任意文件。要利用此漏洞,攻击者必须在受影响设备上具有有效的管理员级别权限。此漏洞是由于 ERS API 中的权限管理不当导致的。攻击者可以通过向受影响设备发送精心构造的请求来利用此漏洞。成功的利用可能导致攻击者将其权限提高在其预期访问级别之外的程度,从而使他们可以从底层操作系统中获取敏感信息。注意:默认情况下,ERS 未被启用。要验证 ERS API 在管理员图形用户界面的状态,请选择 Administration > Settings > API Settings > API 服务设置。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
漏洞类别
特权管理不恰当
漏洞标题
N/A
漏洞描述信息
A vulnerability in the ERS API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. To exploit this vulnerability, an attacker must have valid Administrator-level privileges on the affected device. This vulnerability is due to improper privilege management in the ERS API. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to elevate their privileges beyond the sphere of their intended access level, which would allow them to obtain sensitive information from the underlying operating system. Note: The ERS is not enabled by default. To verify the status of the ERS API in the Admin GUI, choose Administration > Settings > API Settings > API Service Settings.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
漏洞类别
特权链锁
漏洞标题
Cisco Identity Services Engine 安全漏洞
漏洞描述信息
Cisco Identity Services Engine(ISE)是美国思科(Cisco)公司的一款环境感知平台(ISE身份服务引擎)。该平台通过收集网络、用户和设备中的实时信息,制定并实施相应策略来监管网络。 Cisco Identity Services Engine存在安全漏洞,该漏洞源于权限管理不当,允许经过身份验证的远程攻击者读取受影响设备的底层操作系统上的任意文件。
CVSS信息
N/A
漏洞类别
其他