ID

VAR-202009-1120


CVE

CVE-2020-3400


TITLE

Cisco IOS XE  Software vulnerabilities related to lack of authentication

Trust: 0.8

sources: JVNDB: JVNDB-2020-011782

DESCRIPTION

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to utilize parts of the web UI for which they are not authorized.The vulnerability is due to insufficient authorization of web UI access requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web UI. A successful exploit could allow the attacker to utilize parts of the web UI for which they are not authorized. This could allow a Read-Only user to perform actions of an Admin user. Cisco IOS XE The software contains a vulnerability related to lack of authentication.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Both Cisco IOS and IOS XE are a set of operating systems developed by Cisco for its network equipment

Trust: 1.71

sources: NVD: CVE-2020-3400 // JVNDB: JVNDB-2020-011782 // VULHUB: VHN-181525

AFFECTED PRODUCTS

vendor:ciscomodel:ios xescope:eqversion:16.3.5

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.5b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.6

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.7

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.11

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.9

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.10

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.3

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.2.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.4

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.3.8

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.2.1t

Trust: 1.0

vendor:シスコシステムズmodel:cisco ios xescope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-011782 // NVD: CVE-2020-3400

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3400
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3400
value: HIGH

Trust: 1.0

NVD: CVE-2020-3400
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202009-1392
value: HIGH

Trust: 0.6

VULHUB: VHN-181525
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3400
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-181525
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2020-3400
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2020-3400
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-181525 // JVNDB: JVNDB-2020-011782 // CNNVD: CNNVD-202009-1392 // NVD: CVE-2020-3400 // NVD: CVE-2020-3400

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.1

problemtype:Lack of authentication (CWE-862) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-181525 // JVNDB: JVNDB-2020-011782 // NVD: CVE-2020-3400

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1392

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-1392

PATCH

title:cisco-sa-webui-auth-bypass-6j2BYUc7url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-auth-bypass-6j2BYUc7

Trust: 0.8

title:Cisco IOS and IOS XE Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129055

Trust: 0.6

sources: JVNDB: JVNDB-2020-011782 // CNNVD: CNNVD-202009-1392

EXTERNAL IDS

db:NVDid:CVE-2020-3400

Trust: 2.5

db:JVNDBid:JVNDB-2020-011782

Trust: 0.8

db:NSFOCUSid:49466

Trust: 0.6

db:AUSCERTid:ESB-2020.3274

Trust: 0.6

db:CNNVDid:CNNVD-202009-1392

Trust: 0.6

db:VULHUBid:VHN-181525

Trust: 0.1

sources: VULHUB: VHN-181525 // JVNDB: JVNDB-2020-011782 // CNNVD: CNNVD-202009-1392 // NVD: CVE-2020-3400

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-webui-auth-bypass-6j2byuc7

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-3400

Trust: 1.4

url:https://vigilance.fr/vulnerability/cisco-ios-ios-xe-multiple-vulnerabilities-33416

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3274/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/49466

Trust: 0.6

sources: VULHUB: VHN-181525 // JVNDB: JVNDB-2020-011782 // CNNVD: CNNVD-202009-1392 // NVD: CVE-2020-3400

SOURCES

db:VULHUBid:VHN-181525
db:JVNDBid:JVNDB-2020-011782
db:CNNVDid:CNNVD-202009-1392
db:NVDid:CVE-2020-3400

LAST UPDATE DATE

2024-08-14T13:24:31.695000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181525date:2020-11-24T00:00:00
db:JVNDBid:JVNDB-2020-011782date:2021-04-14T08:16:00
db:CNNVDid:CNNVD-202009-1392date:2020-11-27T00:00:00
db:NVDid:CVE-2020-3400date:2020-11-24T15:38:39.107

SOURCES RELEASE DATE

db:VULHUBid:VHN-181525date:2020-09-24T00:00:00
db:JVNDBid:JVNDB-2020-011782date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202009-1392date:2020-09-24T00:00:00
db:NVDid:CVE-2020-3400date:2020-09-24T18:15:17.887