A vulnerability in the SOAP API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote malicious user to gain read access to information that is stored on an affected system. To exploit this vulnerability, an attacker would need administrative privileges on the DCNM application. The vulnerability exists because the SOAP API improperly handles XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by inserting malicious XML content in an API request. A successful exploit could allow the malicious user to read arbitrary files from the affected device. Note: The severity of this vulnerability is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
cisco data center network manager |
Data Center Network Manager bugapalooza with three must-fix flaws Cisco slips on a Tolkien ring: One chip design to rule them all, one design to find them. One design to bring them all...
Cisco is kicking off 2020 with the release of a crop of patches for its Data Center Network Manager. The updates address a total of 12 CVE-listed patches and range in severity from moderate to critical, though should all be patched regardless of rating. Nearly all were found within the REST and SOAP APIs. The immediate priority should be cleaning up CVE-201915975, CVE-201915976, and CVE-201915975, a trio of authentication bypass bugs that can be exploited remotely without authentication. The thr...