First published: Thu Oct 21 2021(Updated: )
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative read-only privileges to download files that should be restricted. This vulnerability is due to incorrect permissions settings on an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the device. A successful exploit could allow the attacker to download files that should be restricted.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Identity Services Engine | <=2.6 | |
Cisco Identity Services Engine | =2.6.0 | |
Cisco Identity Services Engine | =2.6.0-patch1 | |
Cisco Identity Services Engine | =2.6.0-patch2 | |
Cisco Identity Services Engine | =2.6.0-patch3 | |
Cisco Identity Services Engine | =2.6.0-patch5 | |
Cisco Identity Services Engine | =2.6.0-patch6 | |
Cisco Identity Services Engine | =2.6.0-patch7 | |
Cisco Identity Services Engine | =2.6.0-patch8 | |
Cisco Identity Services Engine | =2.6.0-patch9 | |
Cisco Identity Services Engine | =2.7 | |
Cisco Identity Services Engine | =2.7\(0.207\) | |
Cisco Identity Services Engine | =2.7\(0.356\) | |
Cisco Identity Services Engine | =2.7\(0.356\) | |
Cisco Identity Services Engine | =2.7\(0.903\) | |
Cisco Identity Services Engine | =2.7.0 | |
Cisco Identity Services Engine | =2.7.0-patch1 | |
Cisco Identity Services Engine | =2.7.0-patch2 | |
Cisco Identity Services Engine | =2.7.0-patch3 | |
Cisco Identity Services Engine | =2.7.0-patch4 | |
Cisco Identity Services Engine | =3.0\(0.458\) | |
Cisco Identity Services Engine | =3.0.0 | |
Cisco Identity Services Engine | =3.0.0-patch1 | |
Cisco Identity Services Engine | =3.0.0-patch2 | |
Cisco Identity Services Engine | =3.0.0-patch3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-40123.
The Cisco Identity Services Engine (ISE) version 2.6 and later are affected.
The severity level of this vulnerability is medium with a CVSS score of 6.5.
An authenticated, remote attacker with administrative read-only privileges can exploit this vulnerability to download restricted files.
Yes, Cisco has released a security advisory with detailed information and patches to address this vulnerability.