CVE-2020-27131

CWE-20Improper Input ValidationCWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
9.8CRITICAL
EPSS
88.5%
top 0.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Security ManagerCisco Cisco Security Manager
Timeline
PublishedNov 17
Latest updateMay 24

Description

Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-jwxx-hpqc-j7wm: Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker t2022-05-24
CVEList
Cisco Security Manager Java Deserialization Vulnerabilities2020-11-17

📋Vendor Advisories

1
Cisco
Cisco Security Manager Java Deserialization Vulnerabilities2020-11-16