Cisco Identity Services Engine and ISE Passive Identity Connector XML External Entity Processing Information Disclosure Vulnerability

A vulnerability exists in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). It allows an authenticated, remote attacker with administrative privileges to access sensitive information. This issue arises from improper XML parsing in the web-based management interface, enabling an attacker to upload a malicious file that could be used to read arbitrary files from the underlying operating system, potentially exposing sensitive data otherwise inaccessible to administrators.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information on the underlying operating system, bypassing restrictions that typically protect such data from administrators.

Remediation

Users are advised to upgrade to Cisco ISE or ISE-PIC version 3.2 Patch 8, 3.3 Patch 8, or 3.4 Patch 4. For instructions on upgrading, see the Upgrade Guides on the Cisco Identity Service Engine support page.