CVE-2022-20737 — Heap-based Buffer Overflow in Cisco Adaptive Security Appliance Software

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

7.1HIGHNVD

CNA8.5

EPSS

0.7%

top 27.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Adaptive Security Appliance Software Cisco Adaptive Security Appliance Software

Timeline

PublishedMay 3

Latest updateMay 4

Description

A vulnerability in the handler for HTTP authentication for resources accessed through the Clientless SSL VPN portal of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device or to obtain portions of process memory from an affected device. This vulnerability is due to insufficient bounds checking when parsing specific HTTP authentication messages. An attacker could exploit this vulnerability…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

▶NVDcisco/adaptive_security_appliance_software9.13.0 — 9.14.4+4

▶CVEListV5cisco/cisco_adaptive_security_appliance_softwaren/a

🔴Vulnerability Details

GHSA

GHSA-m263-3fx7-gm9v: A vulnerability in the handler for HTTP authentication for resources accessed through the Clientless SSL VPN portal of Cisco Adaptive Security Applian↗2022-05-04

▶

CVEList

Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability↗2022-05-03

▶

📋Vendor Advisories

Cisco

Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability↗2022-04-27

▶