CVE-2014-8023 — Improper Authentication in Cisco Adaptive Security Appliance Software

CWE-264 CWE-287 — Improper Authentication4 documents4 sources

Severity

4.0MEDIUMNVD

EPSS

0.4%

top 38.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Adaptive Security Appliance Software

Timeline

PublishedFeb 17

Latest updateMay 17

Description

Cisco Adaptive Security Appliance (ASA) Software 9.2(.3) and earlier, when challenge-response authentication is used, does not properly select tunnel groups, which allows remote authenticated users to bypass intended resource-access restrictions via a crafted tunnel-group parameter, aka Bug ID CSCtz48533.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages1 packages

▶NVDcisco/adaptive_security_appliance_software9.2.3

🔴Vulnerability Details

GHSA

GHSA-46xm-mj4f-4vwm: Cisco Adaptive Security Appliance (ASA) Software 9↗2022-05-17

▶

CVEList

CVE-2014-8023: Cisco Adaptive Security Appliance (ASA) Software 9↗2015-02-17

▶

📋Vendor Advisories

Cisco

Cisco ASA Challenge-Response Tunnel Group Selection Bypass Vulnerability↗2015-02-16

▶