CVE-2024-20331

CWE-330 CWE-331 CWE-269 — Improper Privilege Management CWE-862 — Missing Authorization5 documents5 sources

Severity

5.9MEDIUM

EPSS

1.0%

top 23.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Cisco Adaptive Security Appliance (asa) Software Cisco Cisco Firepower Threat Defense Software Cisco Adaptive Security Appliance Software +1 more

Timeline

PublishedOct 23

Description

A vulnerability in the session authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to prevent users from authenticating. This vulnerability is due to insufficient entropy in the authentication process. An attacker could exploit this vulnerability by determining the handle of an authenticating user and using it to terminate their auth…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 2.2 | Impact: 4.0

Affected Packages4 packages

▶NVDcisco/firepower_threat_defense_software84 versions+83

▶NVDcisco/adaptive_security_appliance_software188 versions+187

▶CVEListV5cisco/cisco_firepower_threat_defense_software84 versions+83

▶CVEListV5cisco/cisco_adaptive_security_appliance_(asa)_software188 versions+187

🔴Vulnerability Details

GHSA

GHSA-jrcg-6c8x-ff3h: A vulnerability in the session authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software a↗2024-10-23

▶

CVEList

Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Authentication DoS Vulnerability↗2024-10-23

▶

GHSA

In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them↗2024-08-19

▶

📋Vendor Advisories

Cisco

Cisco Adaptive Security Appliance and Firepower Threat Defense Software Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability↗2024-10-23

▶