Cisco released a security advisory for a bypass a critical vulnerability in its REST API of Cisco Elastic Services Controller.
The flaw, CVE-2019-1867, could allow an unauthenticated, remote attacker to bypass authentication on the REST API, the company reported. The problem is caused by an improper validation of API requests that can be exploited with a crafted request to the REST API resulting in giving an attacker the ability to execute arbitrary actions with administrative privileges.
Cisco Elastic Services Controller running Software Release 4.1, 4.2, 4.3, or 4.4 when the REST API is enabled are all affected by this vulnerability. Cisco has released an update to take care of the issue, but also noted there are no workarounds currently available.