Vulnerability-Lookup

CVE-2020-3452 (GCVE-0-2020-3452)

Vulnerability from cvelistv5 – Published: 2020-07-22 20:00 – Updated: 2025-10-21 23:35

Title

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability

Summary

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-20

Assigner

cisco

References

URL

Tags

	https://tools.cisco.com/security/center/content/C…	vendor-advisoryx_refsource_CISCO
	http://packetstormsecurity.com/files/158646/Cisco…	x_refsource_MISC
	http://packetstormsecurity.com/files/158647/Cisco…	x_refsource_MISC
	http://packetstormsecurity.com/files/159523/Cisco…	x_refsource_MISC
	http://packetstormsecurity.com/files/160497/Cisco…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Adaptive Security Appliance (ASA) Software	Affected: unspecified , < 9.6.4.42 (custom) Affected: unspecified , < 9.8.4.20 (custom) Affected: unspecified , < 9.9.2.74 (custom) Affected: unspecified , < 9.10.1.42 (custom) Affected: unspecified , < 9.13.1.10 (custom) Affected: unspecified , < 9.14.1.10 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:37:54.107Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-3452",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T15:34:29.959713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-11-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:35:39.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2021-11-03T00:00:00.000Z",
            "value": "CVE-2020-3452 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Adaptive Security Appliance (ASA) Software",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "9.6.4.42",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.8.4.20",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.9.2.74",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.10.1.42",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.13.1.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.14.1.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-07-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-15T17:06:12.000Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
        }
      ],
      "source": {
        "advisory": "cisco-sa-asaftd-ro-path-KJuQhB86",
        "defect": [
          [
            "CSCvt03598"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2020-07-22T16:00:00",
          "ID": "CVE-2020-3452",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Adaptive Security Appliance (ASA) Software",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.6.4.42"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.8.4.20"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.9.2.74"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.10.1.42"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.13.1.10"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.14.1.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "7.5",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
            },
            {
              "name": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-asaftd-ro-path-KJuQhB86",
          "defect": [
            [
              "CSCvt03598"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-3452",
    "datePublished": "2020-07-22T20:00:22.049Z",
    "dateReserved": "2019-12-12T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:35:39.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2020-3452",
      "cwes": "[\"CWE-20\"]",
      "dateAdded": "2021-11-03",
      "dueDate": "2022-05-03",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2020-3452",
      "product": "Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs.  An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.",
      "vendorProject": "Cisco",
      "vulnerabilityName": "Cisco ASA and FTD Read-Only Path Traversal Vulnerability"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\", \"name\": \"20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T07:37:54.107Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2020-3452\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T15:34:29.959713Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2021-11-03\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2021-11-03T00:00:00+00:00\", \"value\": \"CVE-2020-3452 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T15:34:43.436Z\"}}], \"cna\": {\"title\": \"Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability\", \"source\": {\"defect\": [[\"CSCvt03598\"]], \"advisory\": \"cisco-sa-asaftd-ro-path-KJuQhB86\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco Adaptive Security Appliance (ASA) Software\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"9.6.4.42\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"9.8.4.20\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"9.9.2.74\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"9.10.1.42\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"9.13.1.10\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"9.14.1.10\", \"versionType\": \"custom\"}]}], \"exploits\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\"}], \"datePublic\": \"2020-07-22T00:00:00.000Z\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\", \"name\": \"20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\"]}, {\"url\": \"http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2020-12-15T17:06:12.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"version\": \"3.0\", \"baseScore\": \"7.5\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"}}, \"source\": {\"defect\": [[\"CSCvt03598\"]], \"advisory\": \"cisco-sa-asaftd-ro-path-KJuQhB86\", \"discovery\": \"INTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"9.6.4.42\", \"version_affected\": \"\u003c\"}, {\"version_value\": \"9.8.4.20\", \"version_affected\": \"\u003c\"}, {\"version_value\": \"9.9.2.74\", \"version_affected\": \"\u003c\"}, {\"version_value\": \"9.10.1.42\", \"version_affected\": \"\u003c\"}, {\"version_value\": \"9.13.1.10\", \"version_affected\": \"\u003c\"}, {\"version_value\": \"9.14.1.10\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"Cisco Adaptive Security Appliance (ASA) Software\"}]}, \"vendor_name\": \"Cisco\"}]}}, \"exploit\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\"}], \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\", \"name\": \"20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability\", \"refsource\": \"CISCO\"}, {\"url\": \"http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html\", \"name\": \"http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html\", \"refsource\": \"MISC\"}, {\"url\": \"http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html\", \"name\": \"http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html\", \"refsource\": \"MISC\"}, {\"url\": \"http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html\", \"name\": \"http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html\", \"refsource\": \"MISC\"}, {\"url\": \"http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html\", \"name\": \"http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-20\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2020-3452\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability\", \"ASSIGNER\": \"psirt@cisco.com\", \"DATE_PUBLIC\": \"2020-07-22T16:00:00\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2020-3452\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:35:39.038Z\", \"dateReserved\": \"2019-12-12T00:00:00.000Z\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2020-07-22T20:00:22.049Z\", \"assignerShortName\": \"cisco\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2020-ALE-018

Vulnerability from certfr_alerte - Published: 2020-07-28 - Updated: 2020-11-05

Le 22 juillet 2020, Cisco a publié des correctifs pour la vulnérabilité CVE-2020-3452.

Cette vulnérabilité affecte les équipements Adaptive Security Appliance (ASA) Software et Firepower Threat Defense (FTD) lorsque les fonctionnalités WebVPN ou AnyConnect sont activées.

Cette vulnérabilité permet à un attaquant de récupérer le contenu de n'importe quel fichier appartenant au système de fichiers des services web. Ce système de fichiers, monté en mémoire, est différent de celui du système d'exploitation de l'équipement. Il contient néanmoins potentiellement des informations sensibles sur la machine et sur le réseau que celle-ci est censée protéger.

Le jour où Cisco a publié ses mises à jour, un chercheur a publié des preuves de concept permettant d'exploiter cette vulnérabilité.

Le CERT-FR a connaissance de campagnes tentant d'exploiter cette vulnérabilité.

Solution

Un correctif n'est pas encore disponible pour toutes les versions.

Le CERT-FR recommande de migrer vers une version non vulnérable dans les plus brefs délais.

Dans tous les cas, le CERT-FR recommande de vérifier les journaux à la recherche de requêtes suspectes. Si celles-ci sont détectées, il faut en tirer les conséquences et modifier tous les secrets qui auront pu être compromis.

None

Impacted products

Vendor	Product	Description
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.12.x antérieures à 9.12.3.12
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions antérieures à 9.6.4.42
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.5.x antérieures à 6.5.0.4 avec les correctifs de sécurité temporaires qui seront disponibles en août 2020 ou 6.5.0.5 (disponible automne 2020)
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.2.x antérieures à 6.2.3.16
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.9.x antérieures à 9.9.2.74
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions antérieures à 6.6.0.1
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.7.x et 9.8.x antérieures à 9.8.4.20
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.4.x antérieures à 6.4.0.9 avec les correctifs de sécurité temporaires ou 6.4.0.10 (disponible août 2020)
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.10.x antérieures à 9.10.1.42
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.13.x antérieures à 9.13.1.10
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.3.x antérieures à 6.3.0.5 avec les correctifs de sécurité temporaires qui seront disponibles en août 2020 ou 6.3.0.6 (disponible automne 2020)
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.14.x antérieures à 9.14.1.10

References

Title

Publication Time

Tags

Bulletin de sécurité Cisco cisco-sa-asaftd-ro-path-KJuQhB86 du 22 juillet 2020	None	vendor-advisory
Avis CERTFR CERTFR-2020-AVI-461 du 23 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.12.x ant\u00e9rieures \u00e0 9.12.3.12",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions ant\u00e9rieures \u00e0 9.6.4.42",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.5.x ant\u00e9rieures \u00e0 6.5.0.4 avec les correctifs de s\u00e9curit\u00e9 temporaires qui seront disponibles en ao\u00fbt 2020 ou 6.5.0.5 (disponible automne 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.2.x ant\u00e9rieures \u00e0 6.2.3.16",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.9.x ant\u00e9rieures \u00e0 9.9.2.74",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions ant\u00e9rieures \u00e0 6.6.0.1",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.7.x et 9.8.x ant\u00e9rieures \u00e0 9.8.4.20",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.4.x ant\u00e9rieures \u00e0 6.4.0.9 avec les correctifs de s\u00e9curit\u00e9 temporaires ou 6.4.0.10 (disponible ao\u00fbt 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.10.x ant\u00e9rieures \u00e0 9.10.1.42",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.13.x ant\u00e9rieures \u00e0 9.13.1.10",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.5 avec les correctifs de s\u00e9curit\u00e9 temporaires qui seront disponibles en ao\u00fbt 2020 ou 6.3.0.6 (disponible automne 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.14.x ant\u00e9rieures \u00e0 9.14.1.10",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "closed_at": "2020-11-05",
  "content": "## Solution\n\nUn correctif n\u0027est pas encore disponible pour toutes les versions.\n\nLe CERT-FR recommande de migrer vers une version non vuln\u00e9rable dans les\nplus brefs d\u00e9lais.\n\nDans tous les cas, le CERT-FR recommande de v\u00e9rifier les journaux \u00e0 la\nrecherche de requ\u00eates suspectes. Si celles-ci sont d\u00e9tect\u00e9es, il faut en\ntirer les cons\u00e9quences et modifier tous les secrets qui auront pu \u00eatre\ncompromis.\n",
  "cves": [
    {
      "name": "CVE-2020-3452",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-3452"
    }
  ],
  "initial_release_date": "2020-07-28T00:00:00",
  "last_revision_date": "2020-11-05T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-ALE-018",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-28T00:00:00.000000"
    },
    {
      "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2020-11-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Le 22 juillet 2020, Cisco a publi\u00e9 des correctifs pour la vuln\u00e9rabilit\u00e9\nCVE-2020-3452.\n\nCette vuln\u00e9rabilit\u00e9 affecte les \u00e9quipements Adaptive Security Appliance\n(ASA) Software et Firepower Threat Defense (FTD) lorsque les\nfonctionnalit\u00e9s\u00a0WebVPN ou AnyConnect sont activ\u00e9es.\n\nCette vuln\u00e9rabilit\u00e9 permet \u00e0 un attaquant de r\u00e9cup\u00e9rer le contenu de\nn\u0027importe quel fichier appartenant au syst\u00e8me de fichiers des services\nweb. Ce syst\u00e8me de fichiers, mont\u00e9 en m\u00e9moire, est diff\u00e9rent de celui du\nsyst\u00e8me d\u0027exploitation de l\u0027\u00e9quipement. Il contient n\u00e9anmoins\npotentiellement des informations sensibles sur la machine et sur le\nr\u00e9seau que celle-ci est cens\u00e9e prot\u00e9ger.\n\nLe jour o\u00f9 Cisco a publi\u00e9 ses mises \u00e0 jour, un chercheur a publi\u00e9 des\npreuves de concept permettant d\u0027exploiter cette vuln\u00e9rabilit\u00e9.\n\nLe CERT-FR a connaissance de campagnes tentant d\u0027exploiter cette\nvuln\u00e9rabilit\u00e9.\n\n\u00a0\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Cisco ASA et FTD",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-asaftd-ro-path-KJuQhB86 du 22 juillet 2020",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
    },
    {
      "published_at": null,
      "title": "Avis CERTFR CERTFR-2020-AVI-461 du 23 juillet 2020",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2020-AVI-461/"
    }
  ]
}

GHSA-Q26C-R46F-6FCQ

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2025-10-22 00:31

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-3452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-22T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.",
  "id": "GHSA-q26c-r46f-6fcq",
  "modified": "2025-10-22T00:31:56Z",
  "published": "2022-05-24T17:24:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3452"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2020-3452

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-3452

Aliases

CVE-2020-3452

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-3452",
    "description": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.",
    "id": "GSD-2020-3452",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2020-3452"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-3452"
      ],
      "details": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.",
      "id": "GSD-2020-3452",
      "modified": "2023-12-13T01:22:10.650004Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cisa.gov": {
      "cveID": "CVE-2020-3452",
      "dateAdded": "2021-11-03",
      "dueDate": "2022-05-03",
      "product": "Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.",
      "vendorProject": "Cisco",
      "vulnerabilityName": "Cisco Adaptive Security Appliance and Cisco Fire Power Threat Defense directory traversal sensitive file read"
    },
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@cisco.com",
        "DATE_PUBLIC": "2020-07-22T16:00:00",
        "ID": "CVE-2020-3452",
        "STATE": "PUBLIC",
        "TITLE": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Cisco Adaptive Security Appliance (ASA) Software ",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "9.6.4.42"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "9.8.4.20"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "9.9.2.74"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "9.10.1.42"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "9.13.1.10"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "9.14.1.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Cisco"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files."
          }
        ]
      },
      "exploit": [
        {
          "lang": "eng",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "
        }
      ],
      "impact": {
        "cvss": {
          "baseScore": "7.5",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-20"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
            "refsource": "CISCO",
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
          },
          {
            "name": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
          },
          {
            "name": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
          },
          {
            "name": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
          },
          {
            "name": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
          }
        ]
      },
      "source": {
        "advisory": "cisco-sa-asaftd-ro-path-KJuQhB86",
        "defect": [
          [
            "CSCvt03598"
          ]
        ],
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "cisaActionDue": "2022-05-03",
        "cisaExploitAdd": "2021-11-03",
        "cisaRequiredAction": "Apply updates per vendor instructions.",
        "cisaVulnerabilityName": "Cisco ASA and FTD Read-Only Path Traversal Vulnerability",
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "8B1F7D88-4774-47D9-BC1D-CAD49653EC52",
                    "versionEndExcluding": "9.6.4.42",
                    "versionStartIncluding": "9.6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "CEB1AF51-43DA-4399-8264-E0A2E629F799",
                    "versionEndExcluding": "9.8.4.20",
                    "versionStartIncluding": "9.8",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "2694D563-A5CF-4A3E-BC7E-80A9F9487573",
                    "versionEndExcluding": "9.9.2.74",
                    "versionStartIncluding": "9.9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "374FB489-272C-411D-8C3F-417D8760E8D7",
                    "versionEndExcluding": "9.10.1.42",
                    "versionStartIncluding": "9.10",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "0113BA1B-BBB3-4B2D-BB75-21C7CDB37DE0",
                    "versionEndExcluding": "9.12.3.12",
                    "versionStartIncluding": "9.12",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "526A1138-61C7-44AD-A925-B38BDB353238",
                    "versionEndExcluding": "9.13.1.10",
                    "versionStartIncluding": "9.13",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "7A0974DC-9A56-4099-ADEA-7938DBA3A27D",
                    "versionEndExcluding": "9.14.1.10",
                    "versionStartIncluding": "9.14",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              },
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5505:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "8E6A8BB7-2000-4CA2-9DD7-89573CE4C73A",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5510:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B091B9BA-D4CA-435B-8D66-602B45F0E0BD",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5512-x:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "08F0F160-DAD2-48D4-B7B2-4818B2526F35",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5515-x:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "977D597B-F6DE-4438-AB02-06BE64D71EBE",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5520:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "2B387F62-6341-434D-903F-9B72E7F84ECB",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5525-x:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "EB71EB29-0115-4307-A9F7-262394FD9FB0",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5540:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "17C5A524-E1D9-480F-B655-0680AA5BF720",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5545-x:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "57179F60-E330-4FF0-9664-B1E4637FF210",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5550:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E6287D95-F564-44B7-A0F9-91396D7C2C4E",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5555-x:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5535C936-391B-4619-AA03-B35265FC15D7",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5580:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D1E828B8-5ECC-4A09-B2AD-DEDC558713DE",
                    "vulnerable": false
                  },
                  {
                    "criteria": "cpe:2.3:h:cisco:asa_5585-x:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "16AE20C2-C77E-4E04-BF13-A48696E52426",
                    "vulnerable": false
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ],
            "operator": "AND"
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "C4B2E5D3-ED34-4A7E-BD8F-8492B6737677",
                    "versionEndExcluding": "6.2.3.16",
                    "versionStartIncluding": "6.2.3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "9D27DE97-510A-4761-8184-6940745B54E2",
                    "versionEndExcluding": "6.3.0.6",
                    "versionStartIncluding": "6.3.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "53C69C8B-5A19-4613-8861-683CF21806B7",
                    "versionEndExcluding": "6.4.0.10",
                    "versionStartIncluding": "6.4.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3ED0E59C-146C-494F-AD46-F6FB43F9C575",
                    "versionEndExcluding": "6.5.0.5",
                    "versionStartIncluding": "6.5.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6193E3E2-CD18-415F-9F2D-9DD536C18323",
                    "versionEndExcluding": "6.6.0.1",
                    "versionStartIncluding": "6.6.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files."
          },
          {
            "lang": "es",
            "value": "Una vulnerabilidad en la interfaz de servicios web de Cisco Adaptive Security Appliance (ASA) Software y Cisco Firepower Threat Defense (FTD) Software, podr\u00eda permitir a un atacante remoto no autenticado conducir ataques de salto de directorio y leer archivos confidenciales en un sistema objetivo. La vulnerabilidad es debido a una falta de comprobaci\u00f3n de entrada apropiada de las URL en las peticiones HTTP procesadas por un dispositivo afectado. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n HTTP dise\u00f1ada que contenga secuencias de caracteres salto de directorio en un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir a un atacante visualizar archivos arbitrarios dentro del sistema de archivos de servicios web en el dispositivo objetivo. El sistema de archivos de los servicios web es habilitado cuando el dispositivo afectado es configurado con las funcionalidades WebVPN o AnyConnect. Esta vulnerabilidad no puede ser utilizada para obtener acceso a los archivos del sistema ASA o FTD o los archivos del sistema operativo (SO) subyacente"
          }
        ],
        "id": "CVE-2020-3452",
        "lastModified": "2024-02-21T20:57:31.090",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "ykramarz@cisco.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2020-07-22T20:15:11.970",
        "references": [
          {
            "source": "ykramarz@cisco.com",
            "tags": [
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
          },
          {
            "source": "ykramarz@cisco.com",
            "tags": [
              "Exploit",
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
          },
          {
            "source": "ykramarz@cisco.com",
            "tags": [
              "Exploit",
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
          },
          {
            "source": "ykramarz@cisco.com",
            "tags": [
              "Exploit",
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
          },
          {
            "source": "ykramarz@cisco.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
          }
        ],
        "sourceIdentifier": "ykramarz@cisco.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-22"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-20"
              }
            ],
            "source": "ykramarz@cisco.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

FKIE_CVE-2020-3452

Vulnerability from fkie_nvd - Published: 2020-07-22 20:15 - Updated: 2025-10-28 13:54

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
psirt@cisco.com	http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html	Third Party Advisory, VDB Entry
psirt@cisco.com	http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html	Exploit, Third Party Advisory, VDB Entry
psirt@cisco.com	http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html	Exploit, Third Party Advisory, VDB Entry
psirt@cisco.com	http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html	Exploit, Third Party Advisory, VDB Entry
psirt@cisco.com	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86	Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452	US Government Resource

Impacted products

Vendor	Product	Version
cisco	adaptive_security_appliance_software	*
cisco	adaptive_security_appliance_software	*
cisco	adaptive_security_appliance_software	*
cisco	adaptive_security_appliance_software	*
cisco	adaptive_security_appliance_software	*
cisco	adaptive_security_appliance_software	*
cisco	adaptive_security_appliance_software	*
cisco	asa_5505	-
cisco	asa_5510	-
cisco	asa_5512-x	-
cisco	asa_5515-x	-
cisco	asa_5520	-
cisco	asa_5525-x	-
cisco	asa_5540	-
cisco	asa_5545-x	-
cisco	asa_5550	-
cisco	asa_5555-x	-
cisco	asa_5580	-
cisco	asa_5585-x	-
cisco	firepower_threat_defense	*
cisco	firepower_threat_defense	*
cisco	firepower_threat_defense	*
cisco	firepower_threat_defense	*
cisco	firepower_threat_defense	*

JSON

To clipboard

{
  "cisaActionDue": "2022-05-03",
  "cisaExploitAdd": "2021-11-03",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Cisco ASA and FTD Read-Only Path Traversal Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B1F7D88-4774-47D9-BC1D-CAD49653EC52",
              "versionEndExcluding": "9.6.4.42",
              "versionStartIncluding": "9.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CEB1AF51-43DA-4399-8264-E0A2E629F799",
              "versionEndExcluding": "9.8.4.20",
              "versionStartIncluding": "9.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2694D563-A5CF-4A3E-BC7E-80A9F9487573",
              "versionEndExcluding": "9.9.2.74",
              "versionStartIncluding": "9.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "374FB489-272C-411D-8C3F-417D8760E8D7",
              "versionEndExcluding": "9.10.1.42",
              "versionStartIncluding": "9.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0113BA1B-BBB3-4B2D-BB75-21C7CDB37DE0",
              "versionEndExcluding": "9.12.3.12",
              "versionStartIncluding": "9.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "526A1138-61C7-44AD-A925-B38BDB353238",
              "versionEndExcluding": "9.13.1.10",
              "versionStartIncluding": "9.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A0974DC-9A56-4099-ADEA-7938DBA3A27D",
              "versionEndExcluding": "9.14.1.10",
              "versionStartIncluding": "9.14",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:asa_5505:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E6A8BB7-2000-4CA2-9DD7-89573CE4C73A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5510:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B091B9BA-D4CA-435B-8D66-602B45F0E0BD",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5512-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "08F0F160-DAD2-48D4-B7B2-4818B2526F35",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5515-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "977D597B-F6DE-4438-AB02-06BE64D71EBE",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5520:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B387F62-6341-434D-903F-9B72E7F84ECB",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5525-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB71EB29-0115-4307-A9F7-262394FD9FB0",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5540:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "17C5A524-E1D9-480F-B655-0680AA5BF720",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5545-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "57179F60-E330-4FF0-9664-B1E4637FF210",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5550:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6287D95-F564-44B7-A0F9-91396D7C2C4E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5555-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5535C936-391B-4619-AA03-B35265FC15D7",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5580:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1E828B8-5ECC-4A09-B2AD-DEDC558713DE",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:asa_5585-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "16AE20C2-C77E-4E04-BF13-A48696E52426",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4B2E5D3-ED34-4A7E-BD8F-8492B6737677",
              "versionEndExcluding": "6.2.3.16",
              "versionStartIncluding": "6.2.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D27DE97-510A-4761-8184-6940745B54E2",
              "versionEndExcluding": "6.3.0.6",
              "versionStartIncluding": "6.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "53C69C8B-5A19-4613-8861-683CF21806B7",
              "versionEndExcluding": "6.4.0.10",
              "versionStartIncluding": "6.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3ED0E59C-146C-494F-AD46-F6FB43F9C575",
              "versionEndExcluding": "6.5.0.5",
              "versionStartIncluding": "6.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6193E3E2-CD18-415F-9F2D-9DD536C18323",
              "versionEndExcluding": "6.6.0.1",
              "versionStartIncluding": "6.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en la interfaz de servicios web de Cisco Adaptive Security Appliance (ASA) Software y Cisco Firepower Threat Defense (FTD) Software, podr\u00eda permitir a un atacante remoto no autenticado conducir ataques de salto de directorio y leer archivos confidenciales en un sistema objetivo. La vulnerabilidad es debido a una falta de comprobaci\u00f3n de entrada apropiada de las URL en las peticiones HTTP procesadas por un dispositivo afectado. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n HTTP dise\u00f1ada que contenga secuencias de caracteres salto de directorio en un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir a un atacante visualizar archivos arbitrarios dentro del sistema de archivos de servicios web en el dispositivo objetivo. El sistema de archivos de los servicios web es habilitado cuando el dispositivo afectado es configurado con las funcionalidades WebVPN o AnyConnect. Esta vulnerabilidad no puede ser utilizada para obtener acceso a los archivos del sistema ASA o FTD o los archivos del sistema operativo (SO) subyacente"
    }
  ],
  "id": "CVE-2020-3452",
  "lastModified": "2025-10-28T13:54:01.140",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "psirt@cisco.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-22T20:15:11.970",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2020-3452

Vulnerability from fstec - Published: 22.07.2020

Title

Уязвимость веб-интерфейса микропрограммного обеспечения межсетевых экранов Cisco Adaptive Security Appliance и Cisco Firepower Threat Defense, позволяющая нарушителю раскрыть защищаемую информацию

Description

Уязвимость веб-интерфейса микропрограммного обеспечения межсетевых экранов Cisco Adaptive Security Appliance и Cisco Firepower Threat Defense существует из-за недостаточной проверки входных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, раскрыть защищаемую информацию

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor

Cisco Systems Inc.

Software Name

Firepower Threat Defense, Adaptive Security Appliance

Software Version

от 6.2.3 до 6.2.3.16 (Firepower Threat Defense), от 6.3.0 до 6.3.0.6 (Firepower Threat Defense), от 6.5.0 до 6.5.0.5 (Firepower Threat Defense), от 9.8 до 9.8.4.20 (Adaptive Security Appliance), от 9.13 до 9.13.1.10 (Adaptive Security Appliance), от 9.6 до 9.6.4.42 (Adaptive Security Appliance), от 9.9 до 9.9.2.74 (Adaptive Security Appliance), от 9.10 до 9.10.1.42 (Adaptive Security Appliance), от 9.12 до 9.12.3.12 (Adaptive Security Appliance), от 9.14 до 9.14.1.10 (Adaptive Security Appliance), от 6.4.0 до 6.4.0.10 (Firepower Threat Defense), от 6.6.0 до 6.6.0.1 (Firepower Threat Defense)

Possible Mitigations

Использование рекомендаций: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 https://nvd.nist.gov/vuln/detail/CVE-2020-3452 http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html

CWE

CWE-20

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Cisco Systems Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 6.2.3 \u0434\u043e 6.2.3.16 (Firepower Threat Defense), \u043e\u0442 6.3.0 \u0434\u043e 6.3.0.6 (Firepower Threat Defense), \u043e\u0442 6.5.0 \u0434\u043e 6.5.0.5 (Firepower Threat Defense), \u043e\u0442 9.8 \u0434\u043e 9.8.4.20 (Adaptive Security Appliance), \u043e\u0442 9.13 \u0434\u043e 9.13.1.10 (Adaptive Security Appliance), \u043e\u0442 9.6 \u0434\u043e 9.6.4.42 (Adaptive Security Appliance), \u043e\u0442 9.9 \u0434\u043e 9.9.2.74 (Adaptive Security Appliance), \u043e\u0442 9.10 \u0434\u043e 9.10.1.42 (Adaptive Security Appliance), \u043e\u0442 9.12 \u0434\u043e 9.12.3.12 (Adaptive Security Appliance), \u043e\u0442 9.14 \u0434\u043e 9.14.1.10 (Adaptive Security Appliance), \u043e\u0442 6.4.0 \u0434\u043e 6.4.0.10 (Firepower Threat Defense), \u043e\u0442 6.6.0 \u0434\u043e 6.6.0.1 (Firepower Threat Defense)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "22.07.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "20.08.2020",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2020-04010",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-3452",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Firepower Threat Defense, Adaptive Security Appliance",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u044b\u0445 \u044d\u043a\u0440\u0430\u043d\u043e\u0432 Cisco Adaptive Security Appliance \u0438 Cisco Firepower Threat Defense, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u044b\u0445 \u044d\u043a\u0440\u0430\u043d\u043e\u0432 Cisco Adaptive Security Appliance \u0438 Cisco Firepower Threat Defense \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0438\u0437-\u0437\u0430 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0432\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-3452\nhttp://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u041e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041f\u041e \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

CERTFR-2020-AVI-461

Vulnerability from certfr_avis - Published: 2020-07-23 - Updated: 2020-07-28

Une vulnérabilité a été découverte dans Cisco ASA et FTD. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.12.x antérieures à 9.12.3.12
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions antérieures à 9.6.4.42
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.5.x antérieures à 6.5.0.4 avec les correctifs de sécurité temporaires qui seront disponibles en août 2020 ou 6.5.0.5 (disponible automne 2020)
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.2.x antérieures à 6.2.3.16
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.9.x antérieures à 9.9.2.74
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions antérieures à 6.6.0.1
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.7.x et 9.8.x antérieures à 9.8.4.20
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.4.x antérieures à 6.4.0.9 avec les correctifs de sécurité temporaires ou 6.4.0.10 (disponible août 2020)
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.10.x antérieures à 9.10.1.42
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.13.x antérieures à 9.13.1.10
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.3.x antérieures à 6.3.0.5 avec les correctifs de sécurité temporaires qui seront disponibles en août 2020 ou 6.3.0.6 (disponible automne 2020)
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.14.x antérieures à 9.14.1.10

References

Title

Publication Time

Tags

Bulletin de sécurité Cisco cisco-sa-asaftd-ro-path-KJuQhB86 du 22 juillet 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.12.x ant\u00e9rieures \u00e0 9.12.3.12",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions ant\u00e9rieures \u00e0 9.6.4.42",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.5.x ant\u00e9rieures \u00e0 6.5.0.4 avec les correctifs de s\u00e9curit\u00e9 temporaires qui seront disponibles en ao\u00fbt 2020 ou 6.5.0.5 (disponible automne 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.2.x ant\u00e9rieures \u00e0 6.2.3.16",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.9.x ant\u00e9rieures \u00e0 9.9.2.74",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions ant\u00e9rieures \u00e0 6.6.0.1",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.7.x et 9.8.x ant\u00e9rieures \u00e0 9.8.4.20",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.4.x ant\u00e9rieures \u00e0 6.4.0.9 avec les correctifs de s\u00e9curit\u00e9 temporaires ou 6.4.0.10 (disponible ao\u00fbt 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.10.x ant\u00e9rieures \u00e0 9.10.1.42",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.13.x ant\u00e9rieures \u00e0 9.13.1.10",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.5 avec les correctifs de s\u00e9curit\u00e9 temporaires qui seront disponibles en ao\u00fbt 2020 ou 6.3.0.6 (disponible automne 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.14.x ant\u00e9rieures \u00e0 9.14.1.10",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-3452",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-3452"
    }
  ],
  "initial_release_date": "2020-07-23T00:00:00",
  "last_revision_date": "2020-07-28T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-461",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-23T00:00:00.000000"
    },
    {
      "description": "Ajout de la version 6.2.3.16 pour Cisco FTD",
      "revision_date": "2020-07-28T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Cisco ASA et FTD. Elle permet \u00e0\nun attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9\net une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Cisco ASA et FTD",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-asaftd-ro-path-KJuQhB86 du 22 juillet 2020",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-3452 (GCVE-0-2020-3452)

CERTFR-2020-ALE-018

Solution

GHSA-Q26C-R46F-6FCQ

GSD-2020-3452

FKIE_CVE-2020-3452

CVE-2020-3452

CERTFR-2020-AVI-461

Solution

Tags

Sightings

Nomenclature