Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
A vulnerability in the Cisco IOS XE Software REST API could allow an authenticated, remote attacker to bypass API authorization checks and use the API to perform privileged actions on an affected device. The vulnerability is due to insufficient authorization checks for requests that are sent to the REST API of the affected software. An attacker could exploit this vulnerability by sending a malicious request to an affected device via the REST API. A successful exploit could allow the attacker to selectively bypass authorization checks for the REST API of the affected software and use the API to perform privileged actions on an affected device. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-rest
This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software.
There are no workarounds that address this vulnerability.
The following tables list the First Fixed Release for the most prevalent Cisco IOS or Cisco IOS XE software releases currently deployed by Cisco customers. If there is no First Fixed Release information for a release you're currently running, please open a case with your support organization to request the most up-to-date information for your environment. Please DO NOT contact the Cisco PSIRT to request fix information. --------- --------------------------------------------------------- | Train | First Fixed Release | --------- --------------------------------------------------------- | 3.6E | Not vulnerable | | 3.8E | Not vulnerable | | 3.13S | Not vulnerable | | 3.16S | Not vulnerable | | 16.1 | Vulnerable; migrate to 16.2.2 or later. | | 16.2 | 16.2.2 | | 16.3 | Not vulnerable | | 16.6 | Not vulnerable | --------- --------------------------------------------------------- PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 5: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:X/RL:X/RC:X CVE ID CVE-2018-0195 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html