Guest

Preview Tool

Cisco Bug: CSCvu75147 - MGBL-AAA:Unauthorised user able to access data through Cisco-IOS-XR-perf-meas-oper.xml

Last Modified

Sep 02, 2020

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases

7.1.2.BASE

Description (partial)

Symptom:
Performance measurement operational schema data can be accessed through netconf with xml request by user login with limited permission when expecting no data to be returned.

Conditions:
Log in as TACACS authen/author with limited permission as service admin, send xml get request through netconf to retrieve performance measurement operational data
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get>
    <filter>
      <performance-measurement xmlns="*oper"/>
      <performance-measurement-responder xmlns="*oper"/>
    </filter>
  </get>
</rpc>
This request get data back in response which is not expected under some user permission.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.