CVE-2022-20713 — HTTP Request Smuggling in Cisco Adaptive Security Appliance Software

CWE-444 — HTTP Request Smuggling CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

CNA4.3

EPSS

1.7%

top 17.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Adaptive Security Appliance Software Cisco Firepower Threat Defense Software Cisco Adaptive Security Appliance Software +1 more

Timeline

PublishedAug 10

Latest updateAug 11

Description

A vulnerability in the VPN web client services component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of input that is passed to the VPN web client services component before being returned to the browser that is in use. An attacker could exploit this vulnerability by persuadi…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDcisco/adaptive_security_appliance_software150 versions+149

▶CVEListV5cisco/cisco_firepower_threat_defense_software72 versions+71

▶CVEListV5cisco/cisco_adaptive_security_appliance_software166 versions+165

▶NVDcisco/firepower_threat_defense71 versions+70

🔴Vulnerability Details

GHSA

GHSA-r8cv-8cqg-5fqv: A vulnerability in the Clientless SSL VPN (WebVPN) component of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remot↗2022-08-11

▶

CVEList

CVE-2022-20713: A vulnerability in the VPN web client services component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)↗2022-08-10

▶

📋Vendor Advisories

Cisco

Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Web Client Services Client-Side Request Smuggling Vulnerability↗2022-08-10

▶