#VU27595 Information disclosure in Cisco Adaptive Security Appliance (ASA) and Cisco Firewall Threat Defense (FTD) - CVE-2020-3259
Published: May 7, 2020 / Updated: February 1, 2024
Vulnerability identifier: #VU27595
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2020-3259
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Cisco Adaptive Security Appliance (ASA)
Cisco Firewall Threat Defense (FTD)
Cisco Adaptive Security Appliance (ASA)
Cisco Firewall Threat Defense (FTD)
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. A remote attacker can send a specially crafted GET request and gain unauthorized access to sensitive information on the system.
Remediation
Vendor recommends to update the Cisco FTD Software Release to version 6.2.3.16 (June 2020), 6.3.0.6 (future release), 6.4.0.9 (May 2020) and 6.5.0.5 (future release).