CVE-2020-3335

A vulnerability in the key store of Cisco Application Services Engine Software could allow an authenticated, local attacker to read sensitive information of other users on an affected device. The vulnerability is due to insufficient authorization limitations. An attacker could exploit this vulnerability by logging in to an affected device locally with valid credentials. A successful exploit could allow the attacker to read the sensitive information of other users on the affected device.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-APIC-KSV-3wzbHYT4	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:application_policy_infrastructure_controller:1.1\(0c\):::::::*
	cpe:2.3:a:cisco:application_services_engine::::::::

History

06 Aug 2021, 18:40

Type	Values Removed	Values Added
CWE	~~CWE-306~~	CWE-863

Information

Published : 2020-06-03 18:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-3335

Mitre link : CVE-2020-3335

CVE.ORG link : CVE-2020-3335

JSON object : View

Products Affected

cisco

application_services_engine
application_policy_infrastructure_controller

CWE

CWE-863

Incorrect Authorization

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2020-3335", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-06-03T18:15:22.447", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-APIC-KSV-3wzbHYT4", "tags": ["Patch", "Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the key store of Cisco Application Services Engine Software could allow an authenticated, local attacker to read sensitive information of other users on an affected device. The vulnerability is due to insufficient authorization limitations. An attacker could exploit this vulnerability by logging in to an affected device locally with valid credentials. A successful exploit could allow the attacker to read the sensitive information of other users on the affected device."}, {"lang": "es", "value": "Una vulnerabilidad en el almac\u00e9n de claves de Cisco Application Services Engine Software, podr\u00eda permitir a un atacante local autenticado leer informaci\u00f3n confidencial de otros usuarios sobre un dispositivo afectado. La vulnerabilidad es debido a limitaciones de autorizaci\u00f3n insuficientes. Un atacante podr\u00eda explotar esta vulnerabilidad al iniciar sesi\u00f3n localmente sobre un dispositivo afectado con credenciales v\u00e1lidas. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante leer la informaci\u00f3n confidencial de otros usuarios en el dispositivo afectado."}], "lastModified": "2021-08-06T18:40:03.883", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:application_policy_infrastructure_controller:1.1\\(0c\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F69DAAF5-D078-4860-A26A-52BFEF1686BC"}, {"criteria": "cpe:2.3:a:cisco:application_services_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0123B2FE-9213-4C1A-9FE1-95FE0513DE3A", "versionEndExcluding": "1.1.2.20"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}