A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side request forgery (SSRF) attack through an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials.
This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing XML input. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system or conduct an SSRF attack through the affected device.
Metrics
Affected Vendors & Products
References
History
Wed, 20 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Cisco
Cisco identity Services Engine |
|
Weaknesses | CWE-918 | |
CPEs | cpe:2.3:a:cisco:identity_services_engine:3.0.0:-:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch1:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch2:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch3:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch4:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch5:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch6:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch7:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch8:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:-:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch1:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch2:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch3:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch4:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch5:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch6:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch7:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch8:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch9:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.2.0:-:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch1:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch2:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch3:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch4:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch5:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch6:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.3.0:-:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch1:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch2:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch3:*:*:*:*:*:* cpe:2.3:a:cisco:identity_services_engine:3.4.0:-:*:*:*:*:*:* |
|
Vendors & Products |
Cisco
Cisco identity Services Engine |
Wed, 06 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 06 Nov 2024 16:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side request forgery (SSRF) attack through an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing XML input. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system or conduct an SSRF attack through the affected device. | |
Title | Cisco Identity Services Engine XML External Entity Injection Vulnerability | |
Weaknesses | CWE-611 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: cisco
Published: 2024-11-06T16:31:04.087Z
Updated: 2024-11-06T17:01:49.705Z
Reserved: 2023-11-08T15:08:07.692Z
Link: CVE-2024-20531
Vulnrichment
Updated: 2024-11-06T17:01:44.577Z
NVD
Status : Analyzed
Published: 2024-11-06T17:15:18.043
Modified: 2024-11-20T16:45:31.467
Link: CVE-2024-20531
Redhat
No data.