Sign-up

ID

VAR-202005-0698


CVE

CVE-2020-3280


TITLE

Cisco Unified Contact Center Express Unreliable data deserialization vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-005764

DESCRIPTION

A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device. Cisco Unified Contact Center Express Exists in an unreliable data deserialization vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This component supports functions such as self-service voice service, call distribution, and customer access control

Trust: 1.71

sources: NVD: CVE-2020-3280 // JVNDB: JVNDB-2020-005764 // VULHUB: VHN-181405

AFFECTED PRODUCTS

vendor:ciscomodel:unified contact center expressscope:gteversion:12.0

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope:ltversion:12.0\(1\)es03

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-005764 // NVD: CVE-2020-3280

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3280
value: CRITICAL

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3280
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-005764
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202005-1098
value: CRITICAL

Trust: 0.6

VULHUB: VHN-181405
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3280
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-005764
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181405
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3280
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3280
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-005764
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181405 // JVNDB: JVNDB-2020-005764 // CNNVD: CNNVD-202005-1098 // NVD: CVE-2020-3280 // NVD: CVE-2020-3280

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.9

problemtype:CWE-20

Trust: 1.0

sources: VULHUB: VHN-181405 // JVNDB: JVNDB-2020-005764 // NVD: CVE-2020-3280

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-1098

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202005-1098

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-005764

PATCH
title:cisco-sa-uccx-rce-GMSC6RKNurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-rce-GMSC6RKN
Trust: 0.8
title:Cisco Unified Contact Center Express Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=119157
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-005764 // 
            
            
            
            CNNVD: CNNVD-202005-1098

EXTERNAL IDS
db:NVDid:CVE-2020-3280
Trust: 2.5
db:JVNDBid:JVNDB-2020-005764
Trust: 0.8
db:CNNVDid:CNNVD-202005-1098
Trust: 0.7
db:NSFOCUSid:46748
Trust: 0.6
db:AUSCERTid:ESB-2020.1799
Trust: 0.6
db:CNVDid:CNVD-2020-29593
Trust: 0.1
db:VULHUBid:VHN-181405
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181405 // 
            
            
            
            JVNDB: JVNDB-2020-005764 // 
            
            
            
            CNNVD: CNNVD-202005-1098 // 
            
            
            
            NVD: CVE-2020-3280

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-uccx-rce-gmsc6rkn
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-3280
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3280
Trust: 0.8
url:http://www.nsfocus.net/vulndb/46748
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1799/
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-unified-contact-center-express-code-execution-via-java-deserialization-32319
Trust: 0.6
sources:
            
            
            VULHUB: VHN-181405 // 
            
            
            
            JVNDB: JVNDB-2020-005764 // 
            
            
            
            CNNVD: CNNVD-202005-1098 // 
            
            
            
            NVD: CVE-2020-3280

SOURCES
db:VULHUBid:VHN-181405
db:JVNDBid:JVNDB-2020-005764
db:CNNVDid:CNNVD-202005-1098
db:NVDid:CVE-2020-3280

LAST UPDATE DATE
2024-08-14T14:38:28.424000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-181405date:2020-05-27T00:00:00
db:JVNDBid:JVNDB-2020-005764date:2020-06-22T00:00:00
db:CNNVDid:CNNVD-202005-1098date:2020-05-28T00:00:00
db:NVDid:CVE-2020-3280date:2020-05-27T21:03:10.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-181405date:2020-05-22T00:00:00
db:JVNDBid:JVNDB-2020-005764date:2020-06-22T00:00:00
db:CNNVDid:CNNVD-202005-1098date:2020-05-20T00:00:00
db:NVDid:CVE-2020-3280date:2020-05-22T06:15:10.430