First published: Wed Oct 06 2021(Updated: )
A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncS
Credit: This vulnerability was found during the resolution a Cisco TAC support case
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco DNA Center | =2.2.2 and earlier<2.2.2.5 (Oct 2021) | 2.2.2.5 (Oct 2021) |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Cisco DNA Center vulnerability is cisco-sa-dnac-infodisc-KyC6YncS.
The title of this vulnerability is Cisco DNA Center Information Disclosure Vulnerability.
This vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints.
The severity rating of this vulnerability is medium with a CVSS score of 4.3.
Cisco DNA Center versions 2.2.2 and earlier, including 2.2.2.5 (Oct 2021), are affected by this vulnerability.
An attacker with valid device credentials can exploit this vulnerability by accessing the API endpoints of Cisco DNA Center to gain unauthorized access to sensitive information.
Yes, authentication is required for an attacker to exploit this vulnerability. The attacker must have valid device credentials.
The recommended remedy for this vulnerability is to upgrade to Cisco DNA Center version 2.2.2.5 (Oct 2021) or later.
More information about this vulnerability can be found at the following reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncS