Lucene search

CiscoCVE-2020-3561

HistoryOct 21, 2020 - 7:15 p.m.

CVE-2020-3561

2020-10-2119:15:17

CWE-74

CWE-93

cisco

web.nvd.nist.gov

cisco

asa

ftd

cve-2020-3561

vulnerability

crlf injection

http headers

nvd

security

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

4.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

47.0%

JSON

A vulnerability in the Clientless SSL VPN (WebVPN) of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to inject arbitrary HTTP headers in the responses of the affected system. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to conduct a CRLF injection attack, adding arbitrary HTTP headers in the responses of the system and redirecting the user to arbitrary websites.

Affected configurations

Nvd

Node

ciscoadaptive_security_applianceRange<9.6.4.35

ciscofirepower_threat_defenseRange<6.3.0.6

ciscofirepower_threat_defenseRange6.4.0–6.4.0.10

ciscofirepower_threat_defenseRange6.5.0–6.5.0.5

ciscofirepower_threat_defenseRange6.6.0–6.6.1

ciscoadaptive_security_appliance_softwareRange9.8.0–9.8.4.20

ciscoadaptive_security_appliance_softwareRange9.9.0–9.9.2.80

ciscoadaptive_security_appliance_softwareRange9.10.0–9.10.1.43

ciscoadaptive_security_appliance_softwareRange9.12.0–9.12.3.9

ciscoadaptive_security_appliance_softwareRange9.13.0–9.13.1.10

ciscoadaptive_security_appliance_softwareRange9.14.0–9.14.1.10

VendorProductVersionCPE
ciscoadaptive_security_appliance*cpe:2.3:a:cisco:adaptive_security_appliance:*:*:*:*:*:*:*:*
ciscofirepower_threat_defense*cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software*cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	adaptive_security_appliance	*	cpe:2.3:a:cisco:adaptive_security_appliance::::::::
cisco	firepower_threat_defense	*	cpe:2.3:a:cisco:firepower_threat_defense::::::::
cisco	adaptive_security_appliance_software	*	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::

CNA Affected

[
  {
    "product": "Cisco Adaptive Security Appliance (ASA) Software",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-crlf-inj-BX9uRwSn

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

4.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

47.0%

JSON

Related for CVE-2020-3561