Back to KEVs

CVE-2020-3259

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
December 12, 2019
Published Date
May 06, 2020
Last Updated
October 24, 2024
Vendor
Cisco
Product
Cisco Adaptive Security Appliance (ASA) Software
Description
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

CVSS Scores

CVSS v3.0

7.5 - HIGH

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (added 2024-02-15 00:00:00 UTC) Source
Used in Malware
Yes (added 2024-02-15 00:00:00 UTC) Source

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-02-15 00:00:00 UTC