Details of VAR-202011-1020

ID

VAR-202011-1020

CVE

CVE-2020-3482

TITLE

Cisco Expressway Software permission management vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-013760

DESCRIPTION

A vulnerability in the Traversal Using Relays around NAT (TURN) server component of Cisco Expressway software could allow an unauthenticated, remote attacker to bypass security controls and send network traffic to restricted destinations. The vulnerability is due to improper validation of specific connection information by the TURN server within the affected software. An attacker could exploit this issue by sending specially crafted network traffic to the affected software. A successful exploit could allow the attacker to send traffic through the affected software to destinations beyond the application, possibly allowing the attacker to gain unauthorized network access. Cisco Expressway The software contains a vulnerability in privilege management.Information may be obtained and information may be tampered with. The software provides simple, highly secure access for users outside the firewall, helping remote workers work more efficiently on the device of their choice

Trust: 1.71

sources: NVD: CVE-2020-3482 // JVNDB: JVNDB-2020-013760 // VULHUB: VHN-181607

AFFECTED PRODUCTS

vendor:	cisco	model:	expressway	scope:	lt	version:	x12.6.3	Trust: 1.0
vendor:	cisco	model:	telepresence video communication server	scope:	lt	version:	x12.6.3	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco telepresence video communication server ソフトウェア	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco expressway	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-013760 // NVD: CVE-2020-3482

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3482
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3482
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-3482
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202011-1609
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-181607
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3482
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-181607
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2020-3482
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2020-3482
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-181607 // JVNDB: JVNDB-2020-013760 // CNNVD: CNNVD-202011-1609 // NVD: CVE-2020-3482 // NVD: CVE-2020-3482

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	CWE-284	Trust: 1.0
problemtype:	Improper authority management (CWE-269) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181607 // JVNDB: JVNDB-2020-013760 // NVD: CVE-2020-3482

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-1609

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202011-1609

PATCH

title:	cisco-sa-Expressway-8J3yZ7hV	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-Expressway-8J3yZ7hV	Trust: 0.8
title:	Cisco Expressway Series Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134784	Trust: 0.6

sources: JVNDB: JVNDB-2020-013760 // CNNVD: CNNVD-202011-1609

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3482	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-013760	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.4104	Trust: 0.6
db:	CNNVD	id:	CNNVD-202011-1609	Trust: 0.6
db:	VULHUB	id:	VHN-181607	Trust: 0.1

sources: VULHUB: VHN-181607 // JVNDB: JVNDB-2020-013760 // CNNVD: CNNVD-202011-1609 // NVD: CVE-2020-3482

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-expressway-8j3yz7hv	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3482	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2020.4104/	Trust: 0.6

sources: VULHUB: VHN-181607 // JVNDB: JVNDB-2020-013760 // CNNVD: CNNVD-202011-1609 // NVD: CVE-2020-3482

SOURCES

db:	VULHUB	id:	VHN-181607
db:	JVNDB	id:	JVNDB-2020-013760
db:	CNNVD	id:	CNNVD-202011-1609
db:	NVD	id:	CVE-2020-3482

LAST UPDATE DATE

2024-08-14T14:18:43.427000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181607	date:	2020-12-02T00:00:00
db:	JVNDB	id:	JVNDB-2020-013760	date:	2021-07-13T07:56:00
db:	CNNVD	id:	CNNVD-202011-1609	date:	2020-12-03T00:00:00
db:	NVD	id:	CVE-2020-3482	date:	2020-12-02T16:57:00.417

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181607	date:	2020-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-013760	date:	2021-07-13T00:00:00
db:	CNNVD	id:	CNNVD-202011-1609	date:	2020-11-18T00:00:00
db:	NVD	id:	CVE-2020-3482	date:	2020-11-18T19:15:12.697