CVE-2020-3367

Published: Nov 18, 2020Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in the log subscription subsystem of Cisco AsyncOS for the Cisco Secure Web Appliance (formerly Web Security Appliance) could allow an authenticated, local attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the web interface and CLI. An attacker could exploit this vulnerability by authenticating to the affected device and injecting scripting commands in the scope of the log subscription subsystem. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.

Affected (4)

Products: Cisco: Asyncos

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Cisco Asyncos	Before 11.7.2-011
Cisco Asyncos	From 11.8.0 to 11.8.2-009
Cisco Asyncos	From 12.0.0 to 12.0.2
Cisco Asyncos	From 12.5.0 to 12.5.1-011

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-nPzWZrQj

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-nPzWZrQj

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.