Cisco Prime Service Catalog XML External Entity Parsing Flaw Lets Remote Authenticated Users Deny Service and Obtain Potentially Sensitive Information
SecurityTracker Alert ID: 1031658|
SecurityTracker URL: http://securitytracker.com/id/1031658
(Links to External Site)
Date: Jan 28 2015
Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 10.1|
A vulnerability was reported in Cisco Prime Service Catalog. A remote authenticated user can cause denial of service conditions. A remote authenticated user can obtain potentially sensitive information.|
A remote authenticated user can supply a specially crafted HTTP request to the Prime Service Catalog Simple Object Access Protocol (SOAP) interface to trigger an XML parsing flaw and consume excessive resources on the target system or obtain potentially sensitive data (e.g., private keys, passwords) on the target system.
The vendor has assigned bug ID CSCup92880 to this vulnerability.
A remote authenticated user can consume excessive resources on the target system.|
A remote authenticated user can obtain potentially sensitive data (e.g., private keys, passwords) on the target system.
The vendor has issued a fix (10.1). The vendor has issued patches for 9.4.1, 9.4.1R2, 10.0, and 10.0R2.|
The vendor's advisory is available at:
Vendor URL: tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee (Links to External Site)
Access control error, Input validation error|
Source Message Contents
Subject: Cisco Security Advisory: Cisco Prime Service Catalog XML External Entity Processing Vulnerability|
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: Cisco Prime Service Catalog XML External Entity Processing Vulnerability
Advisory ID: cisco-sa-20150128-psc-xmlee
For Public Release 2015 January 28 16:00 UTC (GMT)
A vulnerability in the configuration of the XML parser of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive data stored on the host operating system or cause system resource consumption that could cause a denial of service condition.
Cisco has released free software updates that address this vulnerability.
This advisory is available at the following link:
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
-----END PGP SIGNATURE-----
cust-security-announce mailing list
To unsubscribe, send the command "unsubscribe" in the subject of your message to firstname.lastname@example.org