ID

VAR-202006-1136


CVE

CVE-2020-3333


TITLE

Cisco Application Services Engine Vulnerability in lack of authentication for critical functions in software

Trust: 0.8

sources: JVNDB: JVNDB-2020-006323

DESCRIPTION

A vulnerability in the API of Cisco Application Services Engine Software could allow an unauthenticated, remote attacker to update event policies on an affected device. The vulnerability is due to insufficient authentication of users who modify policies on an affected device. An attacker could exploit this vulnerability by crafting a malicious HTTP request to contact an affected device. A successful exploit could allow the attacker to update event policies on the affected device

Trust: 1.71

sources: NVD: CVE-2020-3333 // JVNDB: JVNDB-2020-006323 // VULHUB: VHN-181458

AFFECTED PRODUCTS

vendor:ciscomodel:application services enginescope:ltversion:1.1.2.20

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.1\(0c\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controllerscope: - version: -

Trust: 0.8

vendor:ciscomodel:application services enginescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-006323 // NVD: CVE-2020-3333

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3333
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3333
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006323
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202006-338
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181458
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3333
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-006323
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181458
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3333
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3333
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-006323
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181458 // JVNDB: JVNDB-2020-006323 // CNNVD: CNNVD-202006-338 // NVD: CVE-2020-3333 // NVD: CVE-2020-3333

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.9

sources: VULHUB: VHN-181458 // JVNDB: JVNDB-2020-006323 // NVD: CVE-2020-3333

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-338

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202006-338

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006323

PATCH

title:cisco-sa-APIC-EPU-F8y5kUOPurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-APIC-EPU-F8y5kUOP

Trust: 0.8

title:Cisco Application Services Engine Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=120788

Trust: 0.6

sources: JVNDB: JVNDB-2020-006323 // CNNVD: CNNVD-202006-338

EXTERNAL IDS

db:NVDid:CVE-2020-3333

Trust: 2.5

db:JVNDBid:JVNDB-2020-006323

Trust: 0.8

db:CNNVDid:CNNVD-202006-338

Trust: 0.7

db:AUSCERTid:ESB-2020.1930

Trust: 0.6

db:CNVDid:CNVD-2020-32907

Trust: 0.1

db:VULHUBid:VHN-181458

Trust: 0.1

sources: VULHUB: VHN-181458 // JVNDB: JVNDB-2020-006323 // CNNVD: CNNVD-202006-338 // NVD: CVE-2020-3333

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apic-epu-f8y5kuop

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-3333

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3333

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.1930/

Trust: 0.6

sources: VULHUB: VHN-181458 // JVNDB: JVNDB-2020-006323 // CNNVD: CNNVD-202006-338 // NVD: CVE-2020-3333

SOURCES

db:VULHUBid:VHN-181458
db:JVNDBid:JVNDB-2020-006323
db:CNNVDid:CNNVD-202006-338
db:NVDid:CVE-2020-3333

LAST UPDATE DATE

2024-08-14T14:44:48.974000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181458date:2020-06-11T00:00:00
db:JVNDBid:JVNDB-2020-006323date:2020-07-07T00:00:00
db:CNNVDid:CNNVD-202006-338date:2020-06-12T00:00:00
db:NVDid:CVE-2020-3333date:2020-06-11T12:59:50.643

SOURCES RELEASE DATE

db:VULHUBid:VHN-181458date:2020-06-03T00:00:00
db:JVNDBid:JVNDB-2020-006323date:2020-07-07T00:00:00
db:CNNVDid:CNNVD-202006-338date:2020-06-03T00:00:00
db:NVDid:CVE-2020-3333date:2020-06-03T18:15:22.370