// For flags

CVE-2020-3333

Cisco Application Services Engine Software Unauthenticated Event Policies Update Vulnerability

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A vulnerability in the API of Cisco Application Services Engine Software could allow an unauthenticated, remote attacker to update event policies on an affected device. The vulnerability is due to insufficient authentication of users who modify policies on an affected device. An attacker could exploit this vulnerability by crafting a malicious HTTP request to contact an affected device. A successful exploit could allow the attacker to update event policies on the affected device.

Una vulnerabilidad en la API de Cisco Application Services Engine Software, podría permitir a un atacante remoto no autenticado actualizar las políticas de eventos sobre un dispositivo afectado. La vulnerabilidad es debido a una autenticación insuficiente de los usuarios que modifican las políticas sobre un dispositivo afectado. Un atacante podría explotar esta vulnerabilidad al diseñar una petición HTTP maliciosa para contactar a un dispositivo afectado. Una explotación con éxito podría permitir al atacante actualizar las políticas de eventos en el dispositivo afectado.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2019-12-12 CVE Reserved
  • 2020-06-03 CVE Published
  • 2023-06-07 EPSS Updated
  • 2024-11-15 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-306: Missing Authentication for Critical Function
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Application Policy Infrastructure Controller
Search vendor "Cisco" for product "Application Policy Infrastructure Controller"
1.1\(0c\)
Search vendor "Cisco" for product "Application Policy Infrastructure Controller" and version "1.1\(0c\)"
-
Affected
Cisco
Search vendor "Cisco"
Application Services Engine
Search vendor "Cisco" for product "Application Services Engine"
< 1.1.2.20
Search vendor "Cisco" for product "Application Services Engine" and version " < 1.1.2.20"
-
Affected