CVE-2019-1867 Cisco Elastic Services Controller REST API Authentication Bypass Vulnerability

2019-05-1012:05:18

CWE-287

cisco

www.cve.org

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.021

Percentile

89.3%

JSON

A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API. The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system.

CNA Affected

[
  {
    "product": "Cisco Elastic Services Controller",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "4.1.0.100",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.2.0.74",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.3.0.121",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.4.0.80",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]