Forum Discussion
Cisco IOS XE REST API Container Vulnerability Receives...
Cisco IOS XE REST API Container Vulnerability Receives Maximum CVSSv3 Score
Late last month, Cisco released 10 advisories to patch vulnerabilities across a variety of their products. Most notable in these advisories is CVE-2019-12643, an authentication bypass vulnerability in Cisco IOS XE devices due to a flaw in the REST API virtual service container.
The reason for its notability is the fact that Cisco assigned this flaw a CVSSv3 score of 10.0, the maximum score possible. Though the vulnerability is considered severe, exploitation isn’t straight forward, as it requires certain conditions be met before a system can be considered vulnerable.
For more details about the vulnerability, including these mitigating factors, please visit our blog.
4 Replies
What if you don't have REST API installed and ACAS flags for this vulnerability?
Hi @Autumn Mc,
Thanks for reaching out. Based on the Cisco advisory for the vulnerability, there are a few different requirements that need to be met in order for an attacker to exploit the vulnerability. In this case, if the REST API virtual service container isn't installed, then the system isn't vulnerable. To address the fact that ACAS is flagging the vulnerability, I'd recommend you open up a support ticket at support.tenable.com so that we can get that triaged.
Thanks again.
Regards,
Satnam
