7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.019 Low
EPSS
Percentile
88.4%
Cisco ASA, Cisco FTD
Severity:
Severity level: High
Impact: Information disclosure in Сisco ASA and Cisco FTD
Access Vector: Remote
CVSS v3 Base Score: 7.5 HIGH
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
CVE: CVE-2020-3259
Vulnerability description:
Successful exploitation of this vulnerability allows an unauthorized, remote attacker to read arbitrary heap memory of the device and obtain a valid session ID of a user connected to Cisco VPN. The attacker can use the obtained session ID to access the organization’s intranet. Cisco ASA memory may also contain other sensitive information, like usernames, email addresses, and certificates, which can be used to further compromise the system.
Advisory status:
21.02.2020 - Vendor gets vulnerability details 06.05.2020 - Vendor releases fixed version and details
Credits:
The vulnerability was discovered by Mikhail Klyuchnikov and Nikita Abramov, Positive Technologies
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.019 Low
EPSS
Percentile
88.4%