CVE-2014-3399 — Code Injection in Cisco Adaptive Security Appliance Software

CWE-94 — Code Injection CWE-20 — Improper Input Validation4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 69.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Adaptive Security Appliance Software

Timeline

PublishedOct 7

Latest updateMay 17

Description

The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.2(.2.4) and earlier does not properly manage session information during creation of a SharePoint handler, which allows remote authenticated users to overwrite arbitrary RAMFS cache files or inject Lua programs, and consequently cause a denial of service (portal outage or system reload), via crafted HTTP requests, aka Bug ID CSCup54208.

CVSS vector

AV:N/AC:L/C:N/I:P/A:PExploitability: 8.0 | Impact: 4.9

Affected Packages1 packages

▶NVDcisco/adaptive_security_appliance_software9.2\(2.4\)

🔴Vulnerability Details

GHSA

GHSA-5wrq-53j9-jj8f: The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9↗2022-05-17

▶

CVEList

CVE-2014-3399: The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9↗2014-10-07

▶

📋Vendor Advisories

Cisco

Cisco ASA Software SharePoint RAMFS Integrity and Lua Injection Vulnerability↗2014-10-06

▶