Sign-up

ID

VAR-202006-1090


CVE

CVE-2020-3223


TITLE

Cisco IOS XE Link interpretation vulnerabilities in software

Trust: 0.8

sources: JVNDB: JVNDB-2020-006134

DESCRIPTION

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to read arbitrary files on the underlying filesystem of the device. The vulnerability is due to insufficient file scope limiting. An attacker could exploit this vulnerability by creating a specific file reference on the filesystem and then accessing it through the web UI. An exploit could allow the attacker to read arbitrary files from the underlying operating system's filesystem. Cisco IOS XE The software contains a link interpretation vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2020-3223 // JVNDB: JVNDB-2020-006134 // VULHUB: VHN-181348

AFFECTED PRODUCTS

vendor:ciscomodel:ios xescope:eqversion:16.12.1s

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1w

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.11.1c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.11.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1t

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1y

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.9.4

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.9.4c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.11.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.11.1s

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.11.1b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.11.2

Trust: 1.0

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-006134 // NVD: CVE-2020-3223

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3223
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3223
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006134
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202006-323
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181348
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3223
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-006134
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181348
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3223
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3223
baseSeverity: MEDIUM
baseScore: 4.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 0.9
impactScore: 3.6
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-006134
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181348 // JVNDB: JVNDB-2020-006134 // CNNVD: CNNVD-202006-323 // NVD: CVE-2020-3223 // NVD: CVE-2020-3223

PROBLEMTYPE DATA

problemtype:CWE-59

Trust: 1.9

sources: VULHUB: VHN-181348 // JVNDB: JVNDB-2020-006134 // NVD: CVE-2020-3223

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-323

TYPE

post link

Trust: 0.6

sources: CNNVD: CNNVD-202006-323

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-006134

PATCH
title:cisco-sa-webui-filerd-HngnDYGkurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-filerd-HngnDYGk
Trust: 0.8
title:Cisco IOS XE Post-link vulnerability fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=120228
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-006134 // 
            
            
            
            CNNVD: CNNVD-202006-323

EXTERNAL IDS
db:NVDid:CVE-2020-3223
Trust: 2.5
db:JVNDBid:JVNDB-2020-006134
Trust: 0.8
db:CNNVDid:CNNVD-202006-323
Trust: 0.7
db:AUSCERTid:ESB-2020.1938
Trust: 0.6
db:VULHUBid:VHN-181348
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181348 // 
            
            
            
            JVNDB: JVNDB-2020-006134 // 
            
            
            
            CNNVD: CNNVD-202006-323 // 
            
            
            
            NVD: CVE-2020-3223

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-webui-filerd-hngndygk
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-3223
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3223
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.1938/
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-ios-xe-multiple-vulnerabilities-32421
Trust: 0.6
sources:
            
            
            VULHUB: VHN-181348 // 
            
            
            
            JVNDB: JVNDB-2020-006134 // 
            
            
            
            CNNVD: CNNVD-202006-323 // 
            
            
            
            NVD: CVE-2020-3223

SOURCES
db:VULHUBid:VHN-181348
db:JVNDBid:JVNDB-2020-006134
db:CNNVDid:CNNVD-202006-323
db:NVDid:CVE-2020-3223

LAST UPDATE DATE
2024-11-23T21:34:49.651000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-181348date:2020-06-09T00:00:00
db:JVNDBid:JVNDB-2020-006134date:2020-07-01T00:00:00
db:CNNVDid:CNNVD-202006-323date:2020-06-10T00:00:00
db:NVDid:CVE-2020-3223date:2024-11-21T05:30:35.800

SOURCES RELEASE DATE
db:VULHUBid:VHN-181348date:2020-06-03T00:00:00
db:JVNDBid:JVNDB-2020-006134date:2020-07-01T00:00:00
db:CNNVDid:CNNVD-202006-323date:2020-06-03T00:00:00
db:NVDid:CVE-2020-3223date:2020-06-03T18:15:20.357