CVE-2021-34706 — XML External Entity (XXE) Injection in Cisco Identity Services Engine

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

5.4MEDIUMNVD

CNA6.4

EPSS

0.2%

top 57.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Cisco Identity Services Engine Software

Timeline

PublishedOct 6

Latest updateMay 24

Description

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A suc…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDcisco/identity_services_engine3.1+2

▶CVEListV5cisco/cisco_identity_services_engine_softwaren/a

🔴Vulnerability Details

GHSA

GHSA-gjrq-r2pc-24vf: A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access↗2022-05-24

▶

CVEList

Cisco Identity Services Engine XML External Entity Injection Vulnerability↗2021-10-06

▶

📋Vendor Advisories

Cisco

Cisco Identity Services Engine XML External Entity Injection Vulnerability↗2021-10-06

▶