CVE-2020-3367 is a vulnerability in Cisco Asyncos
Published on November 18, 2020
Cisco Secure Web Appliance Privilege Escalation Vulnerability
A vulnerability in the log subscription subsystem of Cisco AsyncOS for the Cisco Secure Web Appliance (formerly Web Security Appliance) could allow an authenticated, local attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the web interface and CLI. An attacker could exploit this vulnerability by authenticating to the affected device and injecting scripting commands in the scope of the log subscription subsystem. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2020-3367 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2020-3367
Want to know whenever a new CVE is published for Cisco Asyncos? stack.watch will email you.
Affected Versions
Cisco Web Security Appliance (WSA) Version n/a is affected by CVE-2020-3367Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.