Furthermore, the vulnerabilities are not dependent on one another, Cisco stresses in its advisory. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other one.
While APIs in general are great, said Frost, “the unfortunate part of them is that many of the standard Web application vulnerabilities also apply. What is actually worse than that is that the bugs we had 10 or more years ago, which were solved by frameworks, are all reappearing in APIs.”
He added, “If I were running a development team around this today, I would look back at older OWASP bugs [identified by the Open Web Application Security Project] to ensure that certain bug classes that had been eliminated, such as vulnerabilities related to unauthenticated endpoints or mass assignment issues, are still addressed.”