Details of VAR-201306-0166

ID

VAR-201306-0166

CVE

CVE-2013-3383

TITLE

Cisco Web Security Runs on the appliance device AsyncOS Vulnerable to arbitrary command execution

Trust: 0.8

sources: JVNDB: JVNDB-2013-003152

DESCRIPTION

The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL sent over IPv4, aka Bug ID CSCzv69294. Successfully exploiting this issue may allow an attacker to execute arbitrary commands with elevated privileges in context of the affected application. This issue being tracked by Cisco bug ID CSCzv69294. The appliance provides SaaS-based access control, real-time network reporting and tracking, and security policy formulation. This vulnerability stems from the failure to correctly filter the special URL submitted by the user

Trust: 1.98

sources: NVD: CVE-2013-3383 // JVNDB: JVNDB-2013-003152 // BID: 60804 // VULHUB: VHN-63385

AFFECTED PRODUCTS

vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.7	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.5	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	lte	version:	7.1.3	Trust: 1.0
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.7.0-550	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.5	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.7	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.5.0-838	Trust: 0.8
vendor:	cisco	model:	web security the appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.1.3	Trust: 0.6

sources: JVNDB: JVNDB-2013-003152 // CNNVD: CNNVD-201306-501 // NVD: CVE-2013-3383

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-3383
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-3383
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201306-501
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-63385
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-3383
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-63385
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-63385 // JVNDB: JVNDB-2013-003152 // CNNVD: CNNVD-201306-501 // NVD: CVE-2013-3383

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.9

sources: VULHUB: VHN-63385 // JVNDB: JVNDB-2013-003152 // NVD: CVE-2013-3383

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-501

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201306-501

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003152

PATCH

title:	29452	url:	http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29452	Trust: 0.8
title:	cisco-sa-20130626-wsa	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa	Trust: 0.8
title:	29746	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=29746	Trust: 0.8
title:	cisco-sa-20130626-sma	url:	http://www.cisco.com/cisco/web/support/JP/111/1118/1118426_cisco-sa-20130626-sma-j.html	Trust: 0.8

sources: JVNDB: JVNDB-2013-003152

EXTERNAL IDS

db:	NVD	id:	CVE-2013-3383	Trust: 2.8
db:	BID	id:	60804	Trust: 1.0
db:	JVNDB	id:	JVNDB-2013-003152	Trust: 0.8
db:	CNNVD	id:	CNNVD-201306-501	Trust: 0.7
db:	CISCO	id:	20130626 MULTIPLE VULNERABILITIES IN CISCO WEB SECURITY APPLIANCE	Trust: 0.6
db:	VULHUB	id:	VHN-63385	Trust: 0.1

sources: VULHUB: VHN-63385 // BID: 60804 // JVNDB: JVNDB-2013-003152 // CNNVD: CNNVD-201306-501 // NVD: CVE-2013-3383

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20130626-wsa	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3383	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3383	Trust: 0.8
url:	http://www.securityfocus.com/bid/60804	Trust: 0.6

sources: VULHUB: VHN-63385 // JVNDB: JVNDB-2013-003152 // CNNVD: CNNVD-201306-501 // NVD: CVE-2013-3383

CREDITS

Cisco

Trust: 0.9

sources: BID: 60804 // CNNVD: CNNVD-201306-501

SOURCES

db:	VULHUB	id:	VHN-63385
db:	BID	id:	60804
db:	JVNDB	id:	JVNDB-2013-003152
db:	CNNVD	id:	CNNVD-201306-501
db:	NVD	id:	CVE-2013-3383

LAST UPDATE DATE

2024-08-14T14:28:03.170000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-63385	date:	2013-06-28T00:00:00
db:	BID	id:	60804	date:	2013-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2013-003152	date:	2013-07-01T00:00:00
db:	CNNVD	id:	CNNVD-201306-501	date:	2013-07-05T00:00:00
db:	NVD	id:	CVE-2013-3383	date:	2013-06-28T04:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-63385	date:	2013-06-27T00:00:00
db:	BID	id:	60804	date:	2013-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2013-003152	date:	2013-07-01T00:00:00
db:	CNNVD	id:	CNNVD-201306-501	date:	2013-06-26T00:00:00
db:	NVD	id:	CVE-2013-3383	date:	2013-06-27T21:55:06.987