CVE-2020-3335

EPSS 0.04%
Published 03.06.2020 18:15:22
Last modified 21.11.2024 05:30:49
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the key store of Cisco Application Services Engine Software could allow an authenticated, local attacker to read sensitive information of other users on an affected device. The vulnerability is due to insufficient authorization limitations. An attacker could exploit this vulnerability by logging in to an affected device locally with valid credentials. A successful exploit could allow the attacker to read the sensitive information of other users on the affected device.

Affected products Warnungen 0 Metrics 4 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Application Policy Infrastructure Controller Version1.1(0c)

Cisco ≫ Application Services Engine Version < 1.1.2.20

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.103

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N
psirt@cisco.com	5.5	1.8	3.6	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-APIC-KSV-3wzbHYT4

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-3335

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-3335

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-3335

EUVD