Improper authorization in Cisco IOS XE - CVE-2018-0195
Published: March 29, 2018 / Updated: March 29, 2018
Vulnerability identifier: #VU11341
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0195
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Cisco IOS XE
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to bypass authorization and obtain elevated privileges on the target system.
The weakness exists in the REST API due to insufficient authorization checks for requests that are sent to the REST API. A remote attacker can send a specially crafted request via the REST API, bypass authorization and gain root privileges.
The weakness exists in the REST API due to insufficient authorization checks for requests that are sent to the REST API. A remote attacker can send a specially crafted request via the REST API, bypass authorization and gain root privileges.
How to mitigate CVE-2018-0195
Update to versions 16.4.1, 16.4(0.54), 16.3.1, 16.3(0.225) or 16.2(1.31).