← Back

CVE-2012-2494

nvd nist
Published: Jun 20, 2012Modified: Apr 29, 2026

JSON object

Loading...
4.3
Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Exploitability: 8.6 / Impact: 2.9
Source: NVD

Description

The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2.x before 2.5 MR6 and 3.x before 3.0 MR8 does not compare the timestamp of offered software to the timestamp of installed software, which allows remote attackers to force a version downgrade by using (1) ActiveX or (2) Java components to offer signed code that corresponds to an older software release, aka Bug ID CSCtw48681.

Affected (16)

Cisco
1 product
Anyconnect Secure Mobility Client
Configuration A
16 vulnerable
Vulnerable SoftwareAffected Versions
Cisco
Anyconnect Secure Mobility Client
Version 2.0
Anyconnect Secure Mobility Client
Version 2.1
Anyconnect Secure Mobility Client
Version 2.2.128
Anyconnect Secure Mobility Client
Version 2.2.133
Anyconnect Secure Mobility Client
Version 2.2.136
Anyconnect Secure Mobility Client
Version 2.2.140
Anyconnect Secure Mobility Client
Version 2.2
Anyconnect Secure Mobility Client
Version 2.3.185
Anyconnect Secure Mobility Client
Version 2.3.2016
Anyconnect Secure Mobility Client
Version 2.3.254
Anyconnect Secure Mobility Client
Version 2.3
Anyconnect Secure Mobility Client
Version 2.4.0202
Anyconnect Secure Mobility Client
Version 2.4.1012
Anyconnect Secure Mobility Client
Version 2.4
Anyconnect Secure Mobility Client
Version 2.5
Anyconnect Secure Mobility Client
Version 3.0

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.