CVE-2020-3367 — OS Command Injection in Cisco Asyncos

CWE-78 — OS Command Injection4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.3%

top 45.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Asyncos Cisco WEB Security Appliance

Timeline

PublishedNov 18

Latest updateMay 24

Description

A vulnerability in the log subscription subsystem of Cisco AsyncOS for the Cisco Secure Web Appliance (formerly Web Security Appliance) could allow an authenticated, local attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the web interface and CLI. An attacker could exploit this vulnerability by authenticating to the affected device and injecting scripting commands in the scope of the log subscrip…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco/cisco_web_security_appliancen/a

▶NVDcisco/asyncos11.8.0 — 11.8.2-009+3

🔴Vulnerability Details

GHSA

GHSA-w9wf-7g3r-xgx7: A vulnerability in the log subscription subsystem of Cisco AsyncOS for the Cisco Secure Web Appliance (formerly Web Security Appliance) could allow an↗2022-05-24

▶

CVEList

Cisco Secure Web Appliance Privilege Escalation Vulnerability↗2020-11-18

▶

📋Vendor Advisories

Cisco

Cisco Secure Web Appliance Privilege Escalation Vulnerability↗2020-11-18

▶