CVE-2020-3333

Cisco Application Services Engine Software Unauthenticated Event Policies Update Vulnerability

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the API of Cisco Application Services Engine Software could allow an unauthenticated, remote attacker to update event policies on an affected device. The vulnerability is due to insufficient authentication of users who modify policies on an affected device. An attacker could exploit this vulnerability by crafting a malicious HTTP request to contact an affected device. A successful exploit could allow the attacker to update event policies on the affected device.

Una vulnerabilidad en la API de Cisco Application Services Engine Software, podría permitir a un atacante remoto no autenticado actualizar las políticas de eventos sobre un dispositivo afectado. La vulnerabilidad es debido a una autenticación insuficiente de los usuarios que modifican las políticas sobre un dispositivo afectado. Un atacante podría explotar esta vulnerabilidad al diseñar una petición HTTP maliciosa para contactar a un dispositivo afectado. Una explotación con éxito podría permitir al atacante actualizar las políticas de eventos en el dispositivo afectado.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-12-12 CVE Reserved
2020-06-03 CVE Published
2023-06-07 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-306: Missing Authentication for Critical Function

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-APIC-EPU-F8y5kUOP	2020-06-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Application Policy Infrastructure Controller Search vendor "Cisco" for product "Application Policy Infrastructure Controller"				1.1\(0c\) Search vendor "Cisco" for product "Application Policy Infrastructure Controller" and version "1.1\(0c\)"		-		Affected
Cisco Search vendor "Cisco"		Application Services Engine Search vendor "Cisco" for product "Application Services Engine"				< 1.1.2.20 Search vendor "Cisco" for product "Application Services Engine" and version " < 1.1.2.20"		-		Affected