Details of VAR-202006-1153

ID

VAR-202006-1153

CVE

CVE-2020-3368

TITLE

Cisco Email Security Appliance of AsyncOS Input verification vulnerabilities in software

Trust: 0.8

sources: JVNDB: JVNDB-2020-006921

DESCRIPTION

A vulnerability in the antispam protection mechanisms of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. The vulnerability is due to insufficient input validation of URLs. An attacker could exploit this vulnerability by crafting the URL in a particular way. A successful exploit could allow the attacker to bypass the URL reputation filters that are configured for the affected device, which could allow malicious URLs to pass through the device. AsyncOS Software is a set of operating systems running in it

Trust: 2.16

sources: NVD: CVE-2020-3368 // JVNDB: JVNDB-2020-006921 // CNVD: CNVD-2020-41805

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-41805

AFFECTED PRODUCTS

vendor:	cisco	model:	asyncos	scope:	lt	version:	13.5.0	Trust: 1.0
vendor:	cisco	model:	asyncos	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	email security appliance	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-41805 // JVNDB: JVNDB-2020-006921 // NVD: CVE-2020-3368

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3368
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3368
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-006921
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-41805
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202006-1145
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-3368
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-006921
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-41805
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-3368
baseSeverity:	MEDIUM
baseScore:	5.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3368
baseSeverity:	MEDIUM
baseScore:	5.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.0
NVD:	JVNDB-2020-006921
baseSeverity:	MEDIUM
baseScore:	5.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-41805 // JVNDB: JVNDB-2020-006921 // CNNVD: CNNVD-202006-1145 // NVD: CVE-2020-3368 // NVD: CVE-2020-3368

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2020-006921 // NVD: CVE-2020-3368

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1145

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202006-1145

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006921

PATCH

title:	cisco-sa-esa-url-bypass-WO4BZ75s	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-url-bypass-WO4BZ75s	Trust: 0.8
title:	Patch for Cisco Email Security Appliance AsyncOS Software input validation error vulnerability (CNVD-2020-41805)	url:	https://www.cnvd.org.cn/patchInfo/show/226365	Trust: 0.6
title:	Cisco Email Security Appliance AsyncOS Software Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=121838	Trust: 0.6

sources: CNVD: CNVD-2020-41805 // JVNDB: JVNDB-2020-006921 // CNNVD: CNNVD-202006-1145

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3368	Trust: 3.0
db:	AUSCERT	id:	ESB-2020.2120	Trust: 1.2
db:	JVNDB	id:	JVNDB-2020-006921	Trust: 0.8
db:	CNVD	id:	CNVD-2020-41805	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-1145	Trust: 0.6

sources: CNVD: CNVD-2020-41805 // JVNDB: JVNDB-2020-006921 // CNNVD: CNNVD-202006-1145 // NVD: CVE-2020-3368

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-esa-url-bypass-wo4bz75s	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3368	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2020.2120/	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3368	Trust: 0.8
url:	https://vigilance.fr/vulnerability/cisco-email-security-appliance-privilege-escalation-via-url-filtering-bypass-32556	Trust: 0.6

sources: CNVD: CNVD-2020-41805 // JVNDB: JVNDB-2020-006921 // CNNVD: CNNVD-202006-1145 // NVD: CVE-2020-3368

SOURCES

db:	CNVD	id:	CNVD-2020-41805
db:	JVNDB	id:	JVNDB-2020-006921
db:	CNNVD	id:	CNNVD-202006-1145
db:	NVD	id:	CVE-2020-3368

LAST UPDATE DATE

2024-11-23T21:35:43.505000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-41805	date:	2020-07-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-006921	date:	2020-07-22T00:00:00
db:	CNNVD	id:	CNNVD-202006-1145	date:	2020-06-30T00:00:00
db:	NVD	id:	CVE-2020-3368	date:	2024-11-21T05:30:53.557

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-41805	date:	2020-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-006921	date:	2020-07-22T00:00:00
db:	CNNVD	id:	CNNVD-202006-1145	date:	2020-06-17T00:00:00
db:	NVD	id:	CVE-2020-3368	date:	2020-06-18T03:15:14.793