PT-2016-2114 · Cisco · Cisco Evolved Programmable Network Manager+1
Published
2016-05-25
·
Updated
2019-07-29
·
CVE-2016-1406
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cisco Prime Infrastructure versions prior to 3.1
Cisco Evolved Programmable Network Manager versions prior to 1.2.4
Description
The issue is related to a lack of proper access control in the API web interface, allowing remote authenticated users to bypass intended Role-Based Access Control (RBAC) restrictions. This can be achieved by sending crafted JSON data, potentially leading to the disclosure of sensitive information and privilege escalation.
Recommendations
For Cisco Prime Infrastructure versions prior to 3.1, update to version 3.1 or later.
For Cisco Evolved Programmable Network Manager versions prior to 1.2.4, update to version 1.2.4 or later.
As a temporary workaround, consider restricting access to the API web interface until a patch is available.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cisco Evolved Programmable Network Manager
Cisco Prime Infrastructure