Details of VAR-202009-1172

ID

VAR-202009-1172

CVE

CVE-2020-3495

TITLE

Windows for Cisco Jabber Input confirmation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-010750

DESCRIPTION

A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution. Windows for Cisco Jabber Is vulnerable to input validation.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Both Cisco Jabber for Windows and Cisco Jabber are products of Cisco. Cisco Jabber for Windows is a unified communication client solution for Windows platform. The program provides online status display, instant messaging, voice and other functions. Cisco Jabber is a unified communications client solution. The program provides online status display, instant messaging, voice and other functions

Trust: 1.71

sources: NVD: CVE-2020-3495 // JVNDB: JVNDB-2020-010750 // VULHUB: VHN-181620

AFFECTED PRODUCTS

vendor:	cisco	model:	jabber	scope:	lt	version:	12.5.2	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	lt	version:	12.8.3	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	gte	version:	12.7	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	gte	version:	12.5	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	lt	version:	12.6.3	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	lt	version:	12.9.1	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	gte	version:	12.6	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	lt	version:	12.1.3	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	gte	version:	12.1	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	lt	version:	12.7.2	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	gte	version:	12.9	Trust: 1.0
vendor:	cisco	model:	jabber	scope:	gte	version:	12.8	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco jabber	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco jabber	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-010750 // NVD: CVE-2020-3495

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3495
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3495
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-3495
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202009-135
value:	HIGH
Trust: 0.6
VULHUB:	VHN-181620
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-3495
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-181620
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3495
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3495
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2020-3495
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-181620 // JVNDB: JVNDB-2020-010750 // CNNVD: CNNVD-202009-135 // NVD: CVE-2020-3495 // NVD: CVE-2020-3495

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.1
problemtype:	Incorrect input confirmation (CWE-20) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181620 // JVNDB: JVNDB-2020-010750 // NVD: CVE-2020-3495

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-135

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202009-135

PATCH

title:

cisco-sa-jabber-UyTKCPGg

url:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg

Trust: 0.8

sources: JVNDB: JVNDB-2020-010750

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3495	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-010750	Trust: 0.8
db:	CNNVD	id:	CNNVD-202009-135	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3026	Trust: 0.6
db:	NSFOCUS	id:	49100	Trust: 0.6
db:	VULHUB	id:	VHN-181620	Trust: 0.1

sources: VULHUB: VHN-181620 // JVNDB: JVNDB-2020-010750 // CNNVD: CNNVD-202009-135 // NVD: CVE-2020-3495

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-jabber-uytkcpgg	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3495	Trust: 1.4
url:	https://media.cert.europa.eu/static/securityadvisories/2020/cert-eu-sa2020-043.pdf	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3026/	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/49100	Trust: 0.6

sources: VULHUB: VHN-181620 // JVNDB: JVNDB-2020-010750 // CNNVD: CNNVD-202009-135 // NVD: CVE-2020-3495

SOURCES

db:	VULHUB	id:	VHN-181620
db:	JVNDB	id:	JVNDB-2020-010750
db:	CNNVD	id:	CNNVD-202009-135
db:	NVD	id:	CVE-2020-3495

LAST UPDATE DATE

2024-11-23T22:21:02.308000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181620	date:	2021-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-010750	date:	2021-02-03T02:26:00
db:	CNNVD	id:	CNNVD-202009-135	date:	2020-09-25T00:00:00
db:	NVD	id:	CVE-2020-3495	date:	2024-11-21T05:31:11.240

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181620	date:	2020-09-04T00:00:00
db:	JVNDB	id:	JVNDB-2020-010750	date:	2021-02-03T00:00:00
db:	CNNVD	id:	CNNVD-202009-135	date:	2020-09-02T00:00:00
db:	NVD	id:	CVE-2020-3495	date:	2020-09-04T03:15:10.450