Details of VAR-202011-1499

ID

VAR-202011-1499

CVE

CVE-2020-26064

TITLE

Cisco Systems Cisco Catalyst SD-WAN Manager In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-018092

DESCRIPTION

A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application. Cisco Systems Cisco Catalyst SD-WAN Manager for, XML There is a vulnerability in an external entity.Information may be obtained and information may be tampered with

Trust: 1.71

sources: NVD: CVE-2020-26064 // JVNDB: JVNDB-2020-018092 // VULMON: CVE-2020-26064

AFFECTED PRODUCTS

vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.4.302	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.2.0	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.4	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.3	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	17.2.10	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.4.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.2.31	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	17.2.8	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.0	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	20.3.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.2.0	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.4.0.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	20.1.1.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	17.2.5	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	17.2.4	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.1.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.2.097	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	20.1.12	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	17.2.7	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.2.2	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.8	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	17.2.6	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.3.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.4.0	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.4.3	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.2.099	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	20.1.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.5	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.2.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.6.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.3.7	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.2.3	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.2.929	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	17.2.9	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.4.303	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.4.4	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	18.4.5	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.3.0	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	19.1.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.4.0.1	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	17.2.7	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	17.2.6	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.3	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.8	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.2.0	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.1	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	17.2.9	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.1.1	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.5	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.4.0	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	17.2.8	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	17.2.10	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.3.1	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.4	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	17.2.5	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.7	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.0	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	17.2.4	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco catalyst sd-wan manager	scope:	eq	version:	18.3.6.1	Trust: 0.8

sources: JVNDB: JVNDB-2020-018092 // NVD: CVE-2020-26064

CVSS

SEVERITY

CVSSV2

CVSSV3

ykramarz@cisco.com:	CVE-2020-26064
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2020-26064
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-26064
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202011-324
value:	MEDIUM
Trust: 0.6

ykramarz@cisco.com:	CVE-2020-26064
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.0
nvd@nist.gov:	CVE-2020-26064
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2020-26064
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2020-018092 // CNNVD: CNNVD-202011-324 // NVD: CVE-2020-26064 // NVD: CVE-2020-26064

PROBLEMTYPE DATA

problemtype:	CWE-611	Trust: 1.0
problemtype:	XML Improper restriction of external entity references (CWE-611) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-018092 // NVD: CVE-2020-26064

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202011-324

PATCH

title:	cisco-sa-vmanx2-KpFVSUc	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanx2-KpFVSUc	Trust: 0.8
title:	Cisco SD-WAN vManage web UI Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=132573	Trust: 0.6
title:	Cisco: Cisco SD-WAN vManage Software XML External Entity Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-vmanx2-KpFVSUc	Trust: 0.1

sources: VULMON: CVE-2020-26064 // JVNDB: JVNDB-2020-018092 // CNNVD: CNNVD-202011-324

EXTERNAL IDS

db:	NVD	id:	CVE-2020-26064	Trust: 3.3
db:	JVNDB	id:	JVNDB-2020-018092	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.3816	Trust: 0.6
db:	CNNVD	id:	CNNVD-202011-324	Trust: 0.6
db:	VULMON	id:	CVE-2020-26064	Trust: 0.1

sources: VULMON: CVE-2020-26064 // JVNDB: JVNDB-2020-018092 // CNNVD: CNNVD-202011-324 // NVD: CVE-2020-26064

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-vmanx2-kpfvsuc	Trust: 1.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-26064	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-vmanx2-kpfvsuc	Trust: 0.7
url:	https://www.auscert.org.au/bulletins/esb-2020.3816/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2020-26064 // JVNDB: JVNDB-2020-018092 // CNNVD: CNNVD-202011-324 // NVD: CVE-2020-26064

SOURCES

db:	VULMON	id:	CVE-2020-26064
db:	JVNDB	id:	JVNDB-2020-018092
db:	CNNVD	id:	CNNVD-202011-324
db:	NVD	id:	CVE-2020-26064

LAST UPDATE DATE

2024-08-14T14:03:25.987000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2020-26064	date:	2023-08-06T00:00:00
db:	JVNDB	id:	JVNDB-2020-018092	date:	2024-01-19T06:25:00
db:	CNNVD	id:	CNNVD-202011-324	date:	2020-11-06T00:00:00
db:	NVD	id:	CVE-2020-26064	date:	2024-01-25T17:15:13.730

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2020-26064	date:	2023-08-04T00:00:00
db:	JVNDB	id:	JVNDB-2020-018092	date:	2024-01-19T00:00:00
db:	CNNVD	id:	CNNVD-202011-324	date:	2020-11-04T00:00:00
db:	NVD	id:	CVE-2020-26064	date:	2023-08-04T21:15:09.580