====================================================================

                                CERT-Renater

                    Note d'Information No. 2016/VULN271
_____________________________________________________________________

DATE                : 30/06/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Cisco Prime Infrastructure software,
                  Cisco Evolved Programmable Network Manager software.

=====================================================================
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160629-piauthbypass
____________________________________________________________________


Cisco Prime Infrastructure and Evolved Programmable Network Manager
Authentication Bypass API Vulnerability

Advisory ID: cisco-sa-20160629-piauthbypass

Revision 1.0

For Public Release 2016 June 29 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A vulnerability in the application programming interface (API) of Cisco
Prime Infrastructure and Cisco Evolved Programmable Network Manager
(EPNM) could allow an unauthenticated, remote attacker to access and
control the API resources.

The vulnerability is due to improper input validation of HTTP requests
for unauthenticated URIs. An attacker could exploit this vulnerability
by sending a crafted HTTP request to the affected URIs. Successful
exploitation of this vulnerability could allow the attacker to upload
malicious code to the application server or read unauthorized
management data, such as credentials of devices managed by Cisco Prime
Infrastructure or EPNM.

Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160629-piauthbypass

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================