ID

VAR-202010-1043


CVE

CVE-2020-3578


TITLE

Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense software Unauthorized authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-009718

DESCRIPTION

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access rule and access parts of the WebVPN portal that are supposed to be blocked. The vulnerability is due to insufficient validation of URLs when portal access rules are configured. An attacker could exploit this vulnerability by accessing certain URLs on the affected device. The platform provides features such as highly secure access to data and network resources

Trust: 1.8

sources: NVD: CVE-2020-3578 // JVNDB: JVNDB-2020-009718 // VULHUB: VHN-181703 // VULMON: CVE-2020-3578

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.10.1.44

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.6.4.45

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.9.2.80

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.13

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.4.0.10

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.7

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.4.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.3.0.6

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.6.1

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.14

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.5.0.5

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.12.4.4

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.14.1.19

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.6.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.5.0

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.12

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.9

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.10

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.8.4.26

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.13.1.13

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:firepower threat defense softwarescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-009718 // NVD: CVE-2020-3578

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3578
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3578
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-009718
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202010-1175
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181703
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-3578
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3578
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-009718
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181703
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3578
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3578
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-009718
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181703 // VULMON: CVE-2020-3578 // JVNDB: JVNDB-2020-009718 // CNNVD: CNNVD-202010-1175 // NVD: CVE-2020-3578 // NVD: CVE-2020-3578

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.9

sources: VULHUB: VHN-181703 // JVNDB: JVNDB-2020-009718 // NVD: CVE-2020-3578

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1175

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202010-1175

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-009718

PATCH

title:cisco-sa-asaftd-rule-bypass-P73ABNWQurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rule-bypass-P73ABNWQ

Trust: 0.8

title:Cisco: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN Portal Access Rule Bypass Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-asaftd-rule-bypass-P73ABNWQ

Trust: 0.1

sources: VULMON: CVE-2020-3578 // JVNDB: JVNDB-2020-009718

EXTERNAL IDS

db:NVDid:CVE-2020-3578

Trust: 2.6

db:JVNDBid:JVNDB-2020-009718

Trust: 0.8

db:CNNVDid:CNNVD-202010-1175

Trust: 0.7

db:AUSCERTid:ESB-2020.3642.3

Trust: 0.6

db:AUSCERTid:ESB-2020.3642

Trust: 0.6

db:NSFOCUSid:50191

Trust: 0.6

db:CNVDid:CNVD-2021-44677

Trust: 0.1

db:VULHUBid:VHN-181703

Trust: 0.1

db:VULMONid:CVE-2020-3578

Trust: 0.1

sources: VULHUB: VHN-181703 // VULMON: CVE-2020-3578 // JVNDB: JVNDB-2020-009718 // CNNVD: CNNVD-202010-1175 // NVD: CVE-2020-3578

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-rule-bypass-p73abnwq

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2020-3578

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3578

Trust: 0.8

url:http://www.nsfocus.net/vulndb/50191

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-asa-software-privilege-escalation-via-webvpn-portal-access-rule-bypass-33671

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3642.3

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3642/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/863.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-181703 // VULMON: CVE-2020-3578 // JVNDB: JVNDB-2020-009718 // CNNVD: CNNVD-202010-1175 // NVD: CVE-2020-3578

SOURCES

db:VULHUBid:VHN-181703
db:VULMONid:CVE-2020-3578
db:JVNDBid:JVNDB-2020-009718
db:CNNVDid:CNNVD-202010-1175
db:NVDid:CVE-2020-3578

LAST UPDATE DATE

2024-11-23T21:35:09.529000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181703date:2022-05-26T00:00:00
db:VULMONid:CVE-2020-3578date:2020-10-30T00:00:00
db:JVNDBid:JVNDB-2020-009718date:2020-12-02T06:59:25
db:CNNVDid:CNNVD-202010-1175date:2021-06-30T00:00:00
db:NVDid:CVE-2020-3578date:2024-11-21T05:31:20.837

SOURCES RELEASE DATE

db:VULHUBid:VHN-181703date:2020-10-21T00:00:00
db:VULMONid:CVE-2020-3578date:2020-10-21T00:00:00
db:JVNDBid:JVNDB-2020-009718date:2020-12-02T06:59:25
db:CNNVDid:CNNVD-202010-1175date:2020-10-21T00:00:00
db:NVDid:CVE-2020-3578date:2020-10-21T19:15:18.513