Cisco ASA VPN/FTD - Arbitrary File Read (CVE-2020-3452)
- Severity
- CVSSv3 Score
- 7.5
- Vulnerability description
Cisco ASA VPN/FTD is affected by an Arbitrary File Read vulnerability, located on the /+CSCOT+/translation-table endpoint. The root cause of this vulnerability consists in insufficient validation of the HTTP input request which allows directory traversal attacks.
- Risk description
The risk exists that a remote unauthenticated attacker could exploit this vulnerability to view sensitive information on files located in the web services file system.
- Exploit capabilities
Sniper can read arbitrary files from the target system and extract them as evidence.
- Recommendation
Update the Cisco ASA server to a version higher than 9.14.1 or the FTD server to a version higher than 6.6.0.1.
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Jul 2020
- Published at
- Updated at
- Software Type
- VPN gateway
- Vendor
- Cisco
- Product
- ASA