CVE-2024-20337 - Vulnerability Details

A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.06577.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Macos
Cisco	Secure Client
Linux	Linux Kernel
Microsoft	Windows

Configuration 1 [-]

AND

OR	cpe:2.3:a:cisco:secure_client::::::::
	cpe:2.3:a:cisco:secure_client::::::::

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Cisco	Secure Client

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

History

Tue, 22 Jul 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:cisco:secure_client:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2024-03-06T16:30:02.285Z

Updated: 2024-08-01T21:59:42.871Z

Reserved: 2023-11-08T15:08:07.642Z

Link: CVE-2024-20337

Vulnrichment

Updated: 2024-08-01T21:59:42.871Z

NVD

Status : Analyzed

Published: 2024-03-06T17:15:09.580

Modified: 2025-07-22T18:00:37.350

Link: CVE-2024-20337

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-12T16:01:27Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object