Cisco Bug: CSCvu75147 - MGBL-AAA:Unauthorised user able to access data through Cisco-IOS-XR-perf-meas-oper.xml
Sep 02, 2020
- Cisco ASR 9000 Series Aggregation Services Routers
Known Affected Releases
Symptom: Performance measurement operational schema data can be accessed through netconf with xml request by user login with limited permission when expecting no data to be returned. Conditions: Log in as TACACS authen/author with limited permission as service admin, send xml get request through netconf to retrieve performance measurement operational data <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101"> <get> <filter> <performance-measurement xmlns="*oper"/> <performance-measurement-responder xmlns="*oper"/> </filter> </get> </rpc> This request get data back in response which is not expected under some user permission.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases