OpenCVE

A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Cisco	Catalyst Sd-wan Manager

No data.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-dos-7uZWwSEy
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vman-traversal-hQh24tmk
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-escalation-Jhqs5Skf

History

Mon, 18 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco catalyst Sd-wan Manager
CPEs		cpe:2.3:a:cisco:catalyst_sd-wan_manager:17.2.10:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:17.2.4:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:17.2.5:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:17.2.6:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:17.2.7:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:17.2.8:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:17.2.9:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.2.0:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.0:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.1.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.3.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.3:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.4:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.5:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.6.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.6:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.7:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.3.8:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.0.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.0:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.302:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.303:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.3:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.4:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.501_es:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:18.4.5:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.0.0:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.0.1a:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.1.0:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.097:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.098:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.099:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.0:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.2:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.31:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.3:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.2.929:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:19.3.0:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.1.1.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.1.12:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.1.1:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.1.2:::::::* cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.3.1:::::::*
Vendors & Products		Cisco Cisco catalyst Sd-wan Manager
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 18 Nov 2024 16:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Title		Cisco SD-WAN vManage Directory Traversal Vulnerability
Weaknesses		CWE-35
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-dos-7uZWwSEy https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vman-traversal-hQh24tmk https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-escalation-Jhqs5Skf
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:X/RC:X/E:X'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2024-11-18T15:57:25.059Z

Updated: 2024-11-18T16:52:48.583Z

Reserved: 2020-09-24T00:00:00.000Z

Link: CVE-2020-26073

Vulnrichment

Updated: 2024-11-18T16:51:54.511Z

NVD

Status : Awaiting Analysis

Published: 2024-11-18T16:15:05.947

Modified: 2024-11-18T17:11:17.393

Link: CVE-2020-26073

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object