CVE-2020-3142

A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android. The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. A successful exploit could allow the unauthorized attendee to join the password-protected meeting. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee. Cisco has applied updates that address this vulnerability and no user action is required. This vulnerability affects Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites releases earlier than 39.11.5 and 40.1.3.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:webex_meetings_online:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:cisco:webex_meetings_online:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-01-26 05:15

Updated : 2023-12-10 13:13

NVD link : CVE-2020-3142

Mitre link : CVE-2020-3142

CVE.ORG link : CVE-2020-3142

JSON object : View

Products Affected

cisco

webex_meetings_online

CWE

CWE-306

Missing Authentication for Critical Function

CWE-284

Improper Access Control

{"id": "CVE-2020-3142", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-01-26T05:15:17.990", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android. The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. A successful exploit could allow the unauthorized attendee to join the password-protected meeting. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee. Cisco has applied updates that address this vulnerability and no user action is required. This vulnerability affects Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites releases earlier than 39.11.5 and 40.1.3."}, {"lang": "es", "value": "Una vulnerabilidad en los sitios de Cisco Webex Meetings Suite y los sitios de Cisco Webex Meetings Online podr\u00eda permitir que un asistente remoto no autenticado se una a una reuni\u00f3n protegida por contrase\u00f1a sin proporcionar la contrase\u00f1a de la reuni\u00f3n. El intento de conexi\u00f3n debe iniciarse desde una aplicaci\u00f3n m\u00f3vil Webex para iOS o Android. La vulnerabilidad se debe a la exposici\u00f3n involuntaria de informaci\u00f3n de la reuni\u00f3n en un flujo de reuni\u00f3n de reuni\u00f3n espec\u00edfico para aplicaciones m\u00f3viles. Un asistente no autorizado podr\u00eda aprovechar esta vulnerabilidad accediendo a un ID de reuni\u00f3n o URL de reuni\u00f3n conocidos El navegador web m\u00f3vil device\u2019s . Luego, el navegador solicitar\u00e1 iniciar la aplicaci\u00f3n device\u2019s m\u00f3vil Webex. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir que el asistente no autorizado se una a la reuni\u00f3n protegida por contrase\u00f1a. El asistente no autorizado estar\u00e1 visible en la lista de asistentes de la reuni\u00f3n como asistente m\u00f3vil. Cisco ha aplicado actualizaciones que abordan esta vulnerabilidad y no se requiere ninguna acci\u00f3n del usuario. Esta vulnerabilidad afecta a los sitios de Cisco Webex Meetings Suite y a los lanzamientos de sitios en l\u00ednea de Cisco Webex Meetings anteriores a la versi\u00f3n 39.11.5 y 40.1.3."}], "lastModified": "2020-01-28T15:39:32.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:webex_meetings_online:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "454E1712-A930-4DC6-BF6C-53B6EC7E03C2", "versionEndExcluding": "39.11.5"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:webex_meetings_online:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DA97750-36D5-4E42-A05B-44430DCD1428", "versionEndExcluding": "40.1.3"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}