ID

VAR-202302-1614


CVE

CVE-2023-20075


TITLE

Cisco Secure Email Operating system command injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202303-052

DESCRIPTION

Vulnerability in the CLI of Cisco Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary commands. These vulnerability is due to improper input validation in the CLI. An attacker could exploit this vulnerability by injecting operating system commands into a legitimate command. A successful exploit could allow the attacker to escape the restricted command prompt and execute arbitrary commands on the underlying operating system. To successfully exploit this vulnerability, an attacker would need valid Administrator credentials. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-privesc-9DVkFpJ8

Trust: 0.99

sources: NVD: CVE-2023-20075 // VULMON: CVE-2023-20075

AFFECTED PRODUCTS

vendor:ciscomodel:email security appliancescope:gteversion:14.3.0

Trust: 1.0

vendor:ciscomodel:email security appliancescope:ltversion:14.3.0-032

Trust: 1.0

vendor:ciscomodel:email security appliancescope:gteversion:12.5.0

Trust: 1.0

vendor:ciscomodel:email security appliancescope:ltversion:12.5.3-041

Trust: 1.0

vendor:ciscomodel:email security appliancescope:gteversion:13.0.0

Trust: 1.0

vendor:ciscomodel:email security appliancescope:gteversion:13.5.0

Trust: 1.0

vendor:ciscomodel:email security appliancescope:ltversion:13.0.5-007

Trust: 1.0

vendor:ciscomodel:email security appliancescope:ltversion:14.2.1-020

Trust: 1.0

vendor:ciscomodel:email security appliancescope:gteversion:14.0.0

Trust: 1.0

vendor:ciscomodel:email security appliancescope:ltversion:13.5.4-038

Trust: 1.0

sources: NVD: CVE-2023-20075

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2023-20075
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202303-052
value: MEDIUM

Trust: 0.6

NVD: CVE-2023-20075
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNNVD: CNNVD-202303-052 // NVD: CVE-2023-20075

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

sources: NVD: CVE-2023-20075

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202303-052

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202303-052

CONFIGURATIONS

sources: NVD: CVE-2023-20075

PATCH

title:Cisco Secure Email Fixes for operating system command injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqbyid.tag?id=228696

Trust: 0.6

title:Cisco: Cisco Email Security Appliance and Cisco Secure Email and Web Manager Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-esa-sma-privesc-9dvkfpj8

Trust: 0.1

sources: VULMON: CVE-2023-20075 // CNNVD: CNNVD-202303-052

EXTERNAL IDS

db:NVDid:CVE-2023-20075

Trust: 1.7

db:CNNVDid:CNNVD-202303-052

Trust: 0.6

db:VULMONid:CVE-2023-20075

Trust: 0.1

sources: VULMON: CVE-2023-20075 // CNNVD: CNNVD-202303-052 // NVD: CVE-2023-20075

REFERENCES

url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-esa-sma-privesc-9dvkfpj8

Trust: 1.7

url:https://cxsecurity.com/cveshow/cve-2023-20075/

Trust: 0.6

sources: VULMON: CVE-2023-20075 // CNNVD: CNNVD-202303-052 // NVD: CVE-2023-20075

SOURCES

db:VULMONid:CVE-2023-20075
db:CNNVDid:CNNVD-202303-052
db:NVDid:CVE-2023-20075

LAST UPDATE DATE

2023-03-14T22:53:27.463000+00:00


SOURCES UPDATE DATE

db:CNNVDid:CNNVD-202303-052date:2023-03-14T00:00:00
db:NVDid:CVE-2023-20075date:2023-03-13T14:01:00

SOURCES RELEASE DATE

db:CNNVDid:CNNVD-202303-052date:2023-03-01T00:00:00
db:NVDid:CVE-2023-20075date:2023-03-01T08:15:00