CVE-2016-1406
First published: Wed May 25 2016(Updated: )
The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2.4 allows remote authenticated users to bypass intended RBAC restrictions and obtain sensitive information, and consequently gain privileges, via crafted JSON data, aka Bug ID CSCuy12409.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Evolved Programmable Network Manager | =1.2.0 | |
| Cisco Evolved Programmable Network Manager | =1.2.1.3 | |
| Cisco Evolved Programmable Network Manager | =1.2.200 | |
| Cisco Evolved Programmable Network Manager | =1.2.300 | |
| Cisco Prime Infrastructure | =1.2 | |
| Cisco Prime Infrastructure | =1.2.0.103 | |
| Cisco Prime Infrastructure | =1.2.1 | |
| Cisco Prime Infrastructure | =1.3 | |
| Cisco Prime Infrastructure | =1.3.0.20 | |
| Cisco Prime Infrastructure | =1.4 | |
| Cisco Prime Infrastructure | =1.4.0.45 | |
| Cisco Prime Infrastructure | =1.4.1 | |
| Cisco Prime Infrastructure | =1.4.2 | |
| Cisco Prime Infrastructure | =2.0 | |
| Cisco Prime Infrastructure | =2.1.0 | |
| Cisco Prime Infrastructure | =2.2 | |
| Cisco Prime Infrastructure | =2.2\(2\) | |
| Cisco Prime Infrastructure | =3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-1406?
CVE-2016-1406 has a severity rating of high due to its potential to allow unauthorized access to sensitive information.
How do I fix CVE-2016-1406?
To fix CVE-2016-1406, upgrade to a version of Cisco Prime Infrastructure or Cisco Evolved Programmable Network Manager that is not affected by this vulnerability.
Who is affected by CVE-2016-1406?
CVE-2016-1406 affects users of Cisco Prime Infrastructure before version 3.1 and Cisco Evolved Programmable Network Manager before version 1.2.4.
What type of attack does CVE-2016-1406 enable?
CVE-2016-1406 enables remote authenticated users to bypass role-based access control restrictions via crafted JSON data.
Is there a workaround for CVE-2016-1406?
There is no documented workaround for CVE-2016-1406; the recommended action is to upgrade the impacted software.
- collector/nvd-index
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/cisco
- canonical/cisco evolved programmable network manager
- version/cisco evolved programmable network manager/1.2.0
- version/cisco evolved programmable network manager/1.2.1.3
- version/cisco evolved programmable network manager/1.2.200
- version/cisco evolved programmable network manager/1.2.300
- canonical/cisco prime infrastructure
- version/cisco prime infrastructure/1.2
- version/cisco prime infrastructure/1.2.0.103
- version/cisco prime infrastructure/1.2.1
- version/cisco prime infrastructure/1.3
- version/cisco prime infrastructure/1.3.0.20
- version/cisco prime infrastructure/1.4
- version/cisco prime infrastructure/1.4.0.45
- version/cisco prime infrastructure/1.4.1
- version/cisco prime infrastructure/1.4.2
- version/cisco prime infrastructure/2.0
- version/cisco prime infrastructure/2.1.0
- version/cisco prime infrastructure/2.2
- version/cisco prime infrastructure/2.2\(2\)
- version/cisco prime infrastructure/3.0