Details of VAR-202002-0717

ID

VAR-202002-0717

CVE

CVE-2020-3154

TITLE

Cisco Cloud Web Security In SQL Injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-002133

DESCRIPTION

A vulnerability in the web UI of Cisco Cloud Web Security (CWS) could allow an authenticated, remote attacker to execute arbitrary SQL queries. The vulnerability exists because the web-based management interface improperly validates SQL values. An authenticated attacker could exploit this vulnerability sending malicious requests to the affected device. An exploit could allow the attacker to modify values on or return values from the underlying database

Trust: 1.71

sources: NVD: CVE-2020-3154 // JVNDB: JVNDB-2020-002133 // VULHUB: VHN-181279

AFFECTED PRODUCTS

vendor:	cisco	model:	cloud web security	scope:	eq	version:	5.2\(0\)	Trust: 1.0
vendor:	cisco	model:	cloud web security	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	cloud web security	scope:	eq	version:	5.20	Trust: 0.6

sources: JVNDB: JVNDB-2020-002133 // CNNVD: CNNVD-202002-950 // NVD: CVE-2020-3154

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3154
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3154
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-002133
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202002-950
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-181279
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3154
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-002133
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-181279
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3154
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3154
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.0
Trust: 1.0
NVD:	JVNDB-2020-002133
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-181279 // JVNDB: JVNDB-2020-002133 // CNNVD: CNNVD-202002-950 // NVD: CVE-2020-3154 // NVD: CVE-2020-3154

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-181279 // JVNDB: JVNDB-2020-002133 // NVD: CVE-2020-3154

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-950

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202002-950

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002133

PATCH

title:	cisco-sa-cws-inject-6YTdx7AO	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cws-inject-6YTdx7AO	Trust: 0.8
title:	Cisco Cloud Web Security SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110020	Trust: 0.6

sources: JVNDB: JVNDB-2020-002133 // CNNVD: CNNVD-202002-950

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3154	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-002133	Trust: 0.8
db:	CNNVD	id:	CNNVD-202002-950	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.0610	Trust: 0.6
db:	CNVD	id:	CNVD-2020-10708	Trust: 0.1
db:	VULHUB	id:	VHN-181279	Trust: 0.1

sources: VULHUB: VHN-181279 // JVNDB: JVNDB-2020-002133 // CNNVD: CNNVD-202002-950 // NVD: CVE-2020-3154

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cws-inject-6ytdx7ao	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3154	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3154	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.0610/	Trust: 0.6

sources: VULHUB: VHN-181279 // JVNDB: JVNDB-2020-002133 // CNNVD: CNNVD-202002-950 // NVD: CVE-2020-3154

SOURCES

db:	VULHUB	id:	VHN-181279
db:	JVNDB	id:	JVNDB-2020-002133
db:	CNNVD	id:	CNNVD-202002-950
db:	NVD	id:	CVE-2020-3154

LAST UPDATE DATE

2024-11-23T23:01:31.710000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181279	date:	2020-02-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-002133	date:	2020-03-04T00:00:00
db:	CNNVD	id:	CNNVD-202002-950	date:	2020-02-25T00:00:00
db:	NVD	id:	CVE-2020-3154	date:	2024-11-21T05:30:26.333

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181279	date:	2020-02-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-002133	date:	2020-03-04T00:00:00
db:	CNNVD	id:	CNNVD-202002-950	date:	2020-02-19T00:00:00
db:	NVD	id:	CVE-2020-3154	date:	2020-02-19T20:15:15.220