Sign-up

ID

VAR-202005-0696


CVE

CVE-2020-3259


TITLE

Cisco Adaptive Security Appliance  and  Cisco Firepower Threat Defense  Software vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-005198

DESCRIPTION

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. Cisco Adaptive Security Appliances Software is a firewall and network security platform. The platform provides features such as highly secure access to data and network resources

Trust: 1.8

sources: NVD: CVE-2020-3259 // JVNDB: JVNDB-2020-005198 // VULHUB: VHN-181384 // VULMON: CVE-2020-3259

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.12.3.9

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.8.4.20

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.4.0.9

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.3.0.6

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.3.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.5.0.5

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.13.1.10

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.10

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.2.3.16

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.5.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.9

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.8

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.12

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.10.1.40

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.2.3

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.9.2.67

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.4.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.13

Trust: 1.0

vendor:シスコシステムズmodel:cisco adaptive security appliancescope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco firepower threat defense ソフトウェアscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-005198 // NVD: CVE-2020-3259

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-3259
value: HIGH

Trust: 1.8

ykramarz@cisco.com: CVE-2020-3259
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202005-221
value: HIGH

Trust: 0.6

VULHUB: VHN-181384
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-3259
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2020-3259
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.9

VULHUB: VHN-181384
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com:
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.0

NVD: CVE-2020-3259
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181384 // VULMON: CVE-2020-3259 // JVNDB: JVNDB-2020-005198 // CNNVD: CNNVD-202005-221 // NVD: CVE-2020-3259 // NVD: CVE-2020-3259

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-200

Trust: 0.1

sources: VULHUB: VHN-181384 // JVNDB: JVNDB-2020-005198 // NVD: CVE-2020-3259

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-221

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202005-221

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2020-3259

PATCH
title:cisco-sa-asaftd-info-disclose-9eJtycMBurl:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-info-disclose-9ejtycmb
Trust: 0.8
title:Cisco Firepower Threat Defense  and Adaptive Security Appliances Software Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=117822
Trust: 0.6
title:Cisco: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-asaftd-info-disclose-9ejtycmb
Trust: 0.1
title:Threatposturl:https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/
Trust: 0.1
title: - url:https://www.theregister.co.uk/2024/01/31/cisco_vuln_akira_attacks/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-3259 // 
            
            
            
            JVNDB: JVNDB-2020-005198 // 
            
            
            
            CNNVD: CNNVD-202005-221

EXTERNAL IDS
db:NVDid:CVE-2020-3259
Trust: 3.4
db:JVNDBid:JVNDB-2020-005198
Trust: 0.8
db:CNNVDid:CNNVD-202005-221
Trust: 0.7
db:AUSCERTid:ESB-2020.1615
Trust: 0.6
db:AUSCERTid:ESB-2020.1615.2
Trust: 0.6
db:CNVDid:CNVD-2020-31106
Trust: 0.1
db:VULHUBid:VHN-181384
Trust: 0.1
db:VULMONid:CVE-2020-3259
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181384 // 
            
            
            
            VULMON: CVE-2020-3259 // 
            
            
            
            JVNDB: JVNDB-2020-005198 // 
            
            
            
            CNNVD: CNNVD-202005-221 // 
            
            
            
            NVD: CVE-2020-3259

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-info-disclose-9ejtycmb
Trust: 1.9
url:https://nvd.nist.gov/vuln/detail/cve-2020-3259
Trust: 1.4
url:https://cisa.gov/known-exploited-vulnerabilities-catalog
Trust: 0.8
url:https://vigilance.fr/vulnerability/cisco-asa-information-disclosure-via-http-get-32189
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1615/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1615.2/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://www.theregister.co.uk/2024/01/31/cisco_vuln_akira_attacks/
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181384 // 
            
            
            
            VULMON: CVE-2020-3259 // 
            
            
            
            JVNDB: JVNDB-2020-005198 // 
            
            
            
            CNNVD: CNNVD-202005-221 // 
            
            
            
            NVD: CVE-2020-3259

SOURCES
db:VULHUBid:VHN-181384
db:VULMONid:CVE-2020-3259
db:JVNDBid:JVNDB-2020-005198
db:CNNVDid:CNNVD-202005-221
db:NVDid:CVE-2020-3259

LAST UPDATE DATE
2024-03-18T22:14:29.272000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-181384date:2021-09-17T00:00:00
db:VULMONid:CVE-2020-3259date:2023-08-16T00:00:00
db:JVNDBid:JVNDB-2020-005198date:2024-03-06T03:16:00
db:CNNVDid:CNNVD-202005-221date:2021-09-18T00:00:00
db:NVDid:CVE-2020-3259date:2024-02-16T02:00:03.227

SOURCES RELEASE DATE
db:VULHUBid:VHN-181384date:2020-05-06T00:00:00
db:VULMONid:CVE-2020-3259date:2020-05-06T00:00:00
db:JVNDBid:JVNDB-2020-005198date:2020-06-09T00:00:00
db:CNNVDid:CNNVD-202005-221date:2020-05-06T00:00:00
db:NVDid:CVE-2020-3259date:2020-05-06T17:15:12.777