← Back

CVE-2020-3578

nvd nist
Published: Oct 21, 2020Modified: Nov 21, 2024

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Exploitability: 3.9 / Impact: 2.5
Source: NVD

Description

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access rule and access parts of the WebVPN portal that are supposed to be blocked. The vulnerability is due to insufficient validation of URLs when portal access rules are configured. An attacker could exploit this vulnerability by accessing certain URLs on the affected device.

Affected (11)

Cisco
2 products
Firepower Threat Defense
Adaptive Security Appliance Software
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Cisco
Firepower Threat Defense
Before 6.3.0.6
Firepower Threat Defense
From 6.4.0 to 6.4.0.10
Firepower Threat Defense
From 6.5.0 to 6.5.0.5
Firepower Threat Defense
From 6.6.0 to 6.6.1
Configuration B
7 vulnerable
Vulnerable SoftwareAffected Versions
Cisco
Adaptive Security Appliance Software
Before 9.6.4.45
Adaptive Security Appliance Software
From 9.10 to 9.10.1.44
Adaptive Security Appliance Software
From 9.12 to 9.12.4.4
Adaptive Security Appliance Software
From 9.13 to 9.13.1.13
Adaptive Security Appliance Software
From 9.14 to 9.14.1.19
Adaptive Security Appliance Software
From 9.7 to 9.8.4.26
Adaptive Security Appliance Software
From 9.9 to 9.9.2.80

Related CWEs

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

Source: psirt@cisco.com
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory

Timeline

No history available yet.