CVE-2012-2495Improper Input Validation in Cisco Secure Desktop

CWE-20Improper Input ValidationCWE-3995 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 55.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Secure DesktopCisco Anyconnect Secure Mobility Client
Timeline
PublishedJun 20
Latest updateMay 17

Description

The HostScan downloader implementation in Cisco AnyConnect Secure Mobility Client 3.x before 3.0 MR8 and Cisco Secure Desktop before 3.6.6020 does not compare the timestamp of offered software to the timestamp of installed software, which allows remote attackers to force a version downgrade by using (1) ActiveX or (2) Java components to offer signed code that corresponds to an older software release, aka Bug ID CSCtx74235.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDcisco/secure_desktop3.5.2008+16

🔴Vulnerability Details

2
GHSA
GHSA-jp4v-v2ww-7m2h: The HostScan downloader implementation in Cisco AnyConnect Secure Mobility Client 32022-05-17
CVEList
CVE-2012-2495: The HostScan downloader implementation in Cisco AnyConnect Secure Mobility Client 32012-06-20

📋Vendor Advisories

2
Cisco
Cisco AnyConnect Secure Mobility Client and Secure Desktop WebLaunch Software Downgrade Vulnerability2012-06-20
Cisco
Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client2012-06-20
CVE-2012-2495 — Improper Input Validation in Cisco | cvebase