CVE-2020-3117 is a vulnerability in Cisco Content Security Management Appliance
Published on September 23, 2020
Cisco Web Security Appliance and Cisco Content Security Management Appliance HTTP Header Injection Vulnerability
A vulnerability in the API Framework of Cisco AsyncOS for Cisco Web Security Appliance (WSA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to inject crafted HTTP headers in the web server's response. The vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to access a crafted URL and receive a malicious HTTP response. A successful exploit could allow the attacker to inject arbitrary HTTP headers into valid HTTP responses sent to a user's browser.
Weakness Type
What is a HTTP Response Splitting Vulnerability?
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVE-2020-3117 has been classified to as a HTTP Response Splitting vulnerability or weakness.
Products Associated with CVE-2020-3117
Want to know whenever a new CVE is published for Cisco Content Security Management Appliance? stack.watch will email you.
Affected Versions
Cisco Web Security Appliance (WSA) Version n/a is affected by CVE-2020-3117Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.