CVE-2014-2127

EUVD-2014-2167

10.04.2014, 04:34

Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.5 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:S/C:C/I:C/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 96%

Affected Products (NVD)

Vendor	Product	Version
cisco	adaptive_security_appliance_software	8.0
cisco	adaptive_security_appliance_software	8.1
cisco	adaptive_security_appliance_software	8.2
cisco	adaptive_security_appliance_software	8.3\(1\)
cisco	adaptive_security_appliance_software	8.4
cisco	adaptive_security_appliance_software	8.6
cisco	adaptive_security_appliance_software	9.0
cisco	adaptive_security_appliance_software	9.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa