Cisco Application Policy Infrastructure Controller Access Control Vulnerability

cisco-sa-20160203-apic · High · Published 10 years ago · Updated 10 years ago

Data: Cisco advisories 1 day ago · Cisco CSAF 4 hours ago · NVD CVEs 7 hours ago · NVD CPEs 1 day ago · CISA KEV 1 day ago · EPSS 1 day ago

A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated remote user to make configuration changes outside of their configured access privileges.   The vulnerability is due to eligibility logic in the RBAC processing code. An authenticated user could exploit this vulnerability by sending specially crafted representational state transfer (REST) requests to the APIC. An exploit could allow the authenticated user to make configuration changes to the APIC beyond the configured privilege for their role. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-apic

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

CVEs	CVE-2016-1302
Cisco Bug IDs	CSCut12998
CVSS Score	Base 8.5 Base 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C

Products with public affected evidence

Product	CVE	Affected evidence
Cisco Application Policy Infrastructure Controller (APIC)	CVE-2016-1302	structured affected CSAF product_status
Cisco NX-OS Software	CVE-2016-1302	structured affected CSAF product_status