CVE-2019-12665
HIGHCisco IOS and IOS XE - Unauthenticated Data Exposure and Modification via HTTP Client Connection Reuse
Title source: llmDescription
A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to read and modify data that should normally have been sent via an encrypted channel. The vulnerability is due to TCP port information not being considered when matching new requests to existing, persistent HTTP connections. An attacker could exploit this vulnerability by acting as a man-in-the-middle and then reading and/or modifying data that should normally have been sent through an encrypted channel.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-http-client
Scores
CVSS v3
7.4
EPSS
0.0109
EPSS Percentile
61.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-399
Status
published
Products (2)
cisco/ios
15.6\(2\)t
cisco/ios
fd-1.5.0
Published
Sep 25, 2019
Tracked Since
Feb 18, 2026