CVE-2024-20355Missing Authorization in Cisco Adaptive Security Appliance Software

CWE-862Missing Authorization4 documents4 sources
Severity
5.0MEDIUMNVD
EPSS
0.8%
top 25.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Cisco Adaptive Security Appliance SoftwareCisco Firepower Threat Defense SoftwareCisco Adaptive Security Appliance Software+1 more
Timeline
PublishedMay 22

Description

A vulnerability in the implementation of SAML 2.0 single sign-on (SSO) for remote access VPN services in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to successfully establish a VPN session on an affected device. This vulnerability is due to improper separation of authorization domains when using SAML authentication. An attacker could exploit this vulnerability by using valid credentials to succes

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages4 packages

NVDcisco/firepower_threat_defense74 versions+73

🔴Vulnerability Details

2
GHSA
GHSA-2fpj-x8pr-gx6p: A vulnerability in the implementation of SAML 22024-05-22
CVEList
CVE-2024-20355: A vulnerability in the implementation of SAML 22024-05-22

📋Vendor Advisories

1
Cisco
Cisco Adaptive Security Appliance and Firepower Threat Defense Software Authorization Bypass Vulnerability2024-05-22
CVE-2024-20355 — Missing Authorization in Cisco | cvebase