—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Security Advisory: Cisco License Manager Directory Traversal Information Disclosure Vulnerability

Advisory ID: cisco-sa-20171004-clm

Revision: 1.0

For Public Release: 2017 October 4 16:00 GMT

Last Updated: 2017 October 4 16:00 GMT

CVE ID(s): CVE-2017-12263

CVSS Score v(3): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

+———————————————————————

Summary
=======
A vulnerability in the web interface of Cisco License Manager software could allow an unauthenticated, remote attacker to download and view files within the application which should be restricted.

The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. An exploit could allow the attacker to view application files which may contain sensitive information.

Cisco has not released and will not release a software update to address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm”]

—–BEGIN PGP SIGNATURE—–

iQKBBAEBAgBrBQJZ1QWLZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx
NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHmvVg/6A3Fy+RVIE7MKU61Y
9Xh/zFO69WKmkwJNnuxcRyog+kDv0LggEc0m1j+KQU6vLQrtNAOL5H5mn9tr4Thf
VHlwGSWaLmA5DxmsKUCrVT6lgnlXjYzOtCDuzDa4EqQEiiRUOFewNOGI7U2qykD0
WCgsBRnyOCjw9xDHCA8LDDpB2uunddrVYhBjYdy5VN421X+O4UYPlNRLcRzh3nO7
z4FbgXI8uiGg2F7QIQhR2keUKXjhj58XsIGIc/8V9mcsPQtjlh1SDA+w2Z6UOseg
2wo8adSGl67Pzop76VyrxqRhZHy6ggMoujch7Vp+e6pISFIerMbRReFkeDe4urD/
NLF+ST+7QF/0/itujuBVtVGSNUT9khRbKLD4802CcgqVhjS8jZvGfoaGf+teQVkR
zvDEjR2DpzNcbFnaSxuC69AxZwJpin1xAZq2MOgMR0sbGCJsGSHWuU/igAB6g5sr
BNLNI7u14CnysFvKWfHDq0loaKcr5Cmep217hLBb+psYKi4kzvIL3l6vl/dudLm4
64mnSuSKvsjq2d74F7vdut8pBSALJ9mZCXVCj9zQjM5a7NAKfUdxzU2ryMF1u7tC
jTZhq5W9L+EeTtijp3H9ZXVs0smvXMBas9QdkF5p3o85BFD90HeH2oSuDazuJhZU
L3uudn82Wln24A9wOcb1aLd0Es0=
=eBtR
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com