Cisco Identity Services Engine XML External Entity Processing Information Disclosure Vulnerability
Summary
A vulnerability in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information. This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to the application. A successful exploit could allow the attacker to read arbitrary files from the underlying operating system tha…
- Scope: At the time of publication, this vulnerability affected Cisco ISE and Cisco ISE-PIC, regardless of device configuration.
- Earlier than 3.2 — Migrate to a fixed release
- Release 3.2 (first fixed: 3.2 Patch 8)
- Release 3.3 (first fixed: 3.3 Patch 8)
- Release 3.4 (first fixed: 3.4 Patch 4)
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
- 3.2 Patch 8
- 3.3 Patch 8
- 3.4 Patch 4
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Mitigation checklist
- Upgrade to the first fixed release for your train per the Fixed Releases table in this advisory.
- Earlier than 3.2: migrate to a fixed release.
- Release 3.2: upgrade to 3.2 Patch 8.
- Release 3.3: upgrade to 3.3 Patch 8.
- Release 3.4: upgrade to 3.4 Patch 4.
- There are no workarounds that address this vulnerability.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.