A vulnerability in the implementation of Security Assertion Markup Language (SAML) 2.0 single sign-on (SSO) for remote access VPN in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to intercept the SAML assertion of a user who is authenticating to a remote access VPN session. This vulnerability is due to insufficient validation of the login URL. An attacker could exploit this vulnerability by persuading a user to access a site that is under the control of the attacker, allowing the attacker to modify the login URL. A successful exploit could allow the attacker to intercept a successful SAML assertion and use that assertion to establish a remote access VPN session toward the affected device with the identity and permissions of the hijacked user, resulting in access to the protected network.
References
Link | Resource |
---|---|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-saml-hijack-ttuQfyz | Vendor Advisory |
Configurations
History
25 Jan 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-601 |
14 Nov 2023, 19:03
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
References | (MISC) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-saml-hijack-ttuQfyz - Vendor Advisory | |
CWE | NVD-CWE-noinfo | |
First Time |
Cisco
Cisco adaptive Security Appliance Software Cisco firepower Threat Defense |
|
CPE | cpe:2.3:a:cisco:firepower_threat_defense:7.2.4:*:*:*:*:*:*:* cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* |
01 Nov 2023, 18:17
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-01 18:15
Updated : 2024-01-25 17:15
NVD link : CVE-2023-20264
Mitre link : CVE-2023-20264
CVE.ORG link : CVE-2023-20264
JSON object : View
Products Affected
cisco
- firepower_threat_defense
- adaptive_security_appliance_software
CWE