certfr_alerte - certfr-2020-ale-018

CERTFR-2020-ALE-018

Vulnerability from certfr_alerte

Le 22 juillet 2020, Cisco a publié des correctifs pour la vulnérabilité CVE-2020-3452.

Cette vulnérabilité affecte les équipements Adaptive Security Appliance (ASA) Software et Firepower Threat Defense (FTD) lorsque les fonctionnalités WebVPN ou AnyConnect sont activées.

Cette vulnérabilité permet à un attaquant de récupérer le contenu de n'importe quel fichier appartenant au système de fichiers des services web. Ce système de fichiers, monté en mémoire, est différent de celui du système d'exploitation de l'équipement. Il contient néanmoins potentiellement des informations sensibles sur la machine et sur le réseau que celle-ci est censée protéger.

Le jour où Cisco a publié ses mises à jour, un chercheur a publié des preuves de concept permettant d'exploiter cette vulnérabilité.

Le CERT-FR a connaissance de campagnes tentant d'exploiter cette vulnérabilité.

Solution

Un correctif n'est pas encore disponible pour toutes les versions.

Le CERT-FR recommande de migrer vers une version non vulnérable dans les plus brefs délais.

Dans tous les cas, le CERT-FR recommande de vérifier les journaux à la recherche de requêtes suspectes. Si celles-ci sont détectées, il faut en tirer les conséquences et modifier tous les secrets qui auront pu être compromis.

None

Impacted products

Vendor	Product	Description
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.12.x antérieures à 9.12.3.12
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions antérieures à 9.6.4.42
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.5.x antérieures à 6.5.0.4 avec les correctifs de sécurité temporaires qui seront disponibles en août 2020 ou 6.5.0.5 (disponible automne 2020)
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.2.x antérieures à 6.2.3.16
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.9.x antérieures à 9.9.2.74
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions antérieures à 6.6.0.1
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.7.x et 9.8.x antérieures à 9.8.4.20
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.4.x antérieures à 6.4.0.9 avec les correctifs de sécurité temporaires ou 6.4.0.10 (disponible août 2020)
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.10.x antérieures à 9.10.1.42
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.13.x antérieures à 9.13.1.10
Cisco	Firepower Threat Defense	Cisco Firepower Threat Defense (FTD) versions 6.3.x antérieures à 6.3.0.5 avec les correctifs de sécurité temporaires qui seront disponibles en août 2020 ou 6.3.0.6 (disponible automne 2020)
Cisco	Adaptive Security Appliance	Cisco Adaptive Security Appliance (ASA) versions 9.14.x antérieures à 9.14.1.10

References

Title

Publication Time

Tags

Bulletin de sécurité Cisco cisco-sa-asaftd-ro-path-KJuQhB86 du 22 juillet 2020	None	vendor-advisory
Avis CERTFR CERTFR-2020-AVI-461 du 23 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.12.x ant\u00e9rieures \u00e0 9.12.3.12",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions ant\u00e9rieures \u00e0 9.6.4.42",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.5.x ant\u00e9rieures \u00e0 6.5.0.4 avec les correctifs de s\u00e9curit\u00e9 temporaires qui seront disponibles en ao\u00fbt 2020 ou 6.5.0.5 (disponible automne 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.2.x ant\u00e9rieures \u00e0 6.2.3.16",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.9.x ant\u00e9rieures \u00e0 9.9.2.74",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions ant\u00e9rieures \u00e0 6.6.0.1",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.7.x et 9.8.x ant\u00e9rieures \u00e0 9.8.4.20",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.4.x ant\u00e9rieures \u00e0 6.4.0.9 avec les correctifs de s\u00e9curit\u00e9 temporaires ou 6.4.0.10 (disponible ao\u00fbt 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.10.x ant\u00e9rieures \u00e0 9.10.1.42",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.13.x ant\u00e9rieures \u00e0 9.13.1.10",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense (FTD) versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.5 avec les correctifs de s\u00e9curit\u00e9 temporaires qui seront disponibles en ao\u00fbt 2020 ou 6.3.0.6 (disponible automne 2020)",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Appliance (ASA) versions 9.14.x ant\u00e9rieures \u00e0 9.14.1.10",
      "product": {
        "name": "Adaptive Security Appliance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "closed_at": "2020-11-05",
  "content": "## Solution\n\nUn correctif n\u0027est pas encore disponible pour toutes les versions.\n\nLe CERT-FR recommande de migrer vers une version non vuln\u00e9rable dans les\nplus brefs d\u00e9lais.\n\nDans tous les cas, le CERT-FR recommande de v\u00e9rifier les journaux \u00e0 la\nrecherche de requ\u00eates suspectes. Si celles-ci sont d\u00e9tect\u00e9es, il faut en\ntirer les cons\u00e9quences et modifier tous les secrets qui auront pu \u00eatre\ncompromis.\n",
  "cves": [
    {
      "name": "CVE-2020-3452",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-3452"
    }
  ],
  "initial_release_date": "2020-07-28T00:00:00",
  "last_revision_date": "2020-11-05T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-ALE-018",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-28T00:00:00.000000"
    },
    {
      "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2020-11-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Le 22 juillet 2020, Cisco a publi\u00e9 des correctifs pour la vuln\u00e9rabilit\u00e9\nCVE-2020-3452.\n\nCette vuln\u00e9rabilit\u00e9 affecte les \u00e9quipements Adaptive Security Appliance\n(ASA) Software et Firepower Threat Defense (FTD) lorsque les\nfonctionnalit\u00e9s\u00a0WebVPN ou AnyConnect sont activ\u00e9es.\n\nCette vuln\u00e9rabilit\u00e9 permet \u00e0 un attaquant de r\u00e9cup\u00e9rer le contenu de\nn\u0027importe quel fichier appartenant au syst\u00e8me de fichiers des services\nweb. Ce syst\u00e8me de fichiers, mont\u00e9 en m\u00e9moire, est diff\u00e9rent de celui du\nsyst\u00e8me d\u0027exploitation de l\u0027\u00e9quipement. Il contient n\u00e9anmoins\npotentiellement des informations sensibles sur la machine et sur le\nr\u00e9seau que celle-ci est cens\u00e9e prot\u00e9ger.\n\nLe jour o\u00f9 Cisco a publi\u00e9 ses mises \u00e0 jour, un chercheur a publi\u00e9 des\npreuves de concept permettant d\u0027exploiter cette vuln\u00e9rabilit\u00e9.\n\nLe CERT-FR a connaissance de campagnes tentant d\u0027exploiter cette\nvuln\u00e9rabilit\u00e9.\n\n\u00a0\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Cisco ASA et FTD",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-asaftd-ro-path-KJuQhB86 du 22 juillet 2020",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
    },
    {
      "published_at": null,
      "title": "Avis CERTFR CERTFR-2020-AVI-461 du 23 juillet 2020",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2020-AVI-461/"
    }
  ]
}

CVE-2020-3452 (GCVE-0-2020-3452)

Vulnerability from cvelistv5

Published

2020-07-22 20:00

Modified

2025-07-30 01:45

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-20

Summary

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

References

URL

Tags

	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86	vendor-advisory, x_refsource_CISCO
	http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html	x_refsource_MISC
	http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html	x_refsource_MISC
	http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html	x_refsource_MISC
	http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Adaptive Security Appliance (ASA) Software	Version: unspecified < 9.6.4.42 Version: unspecified < 9.8.4.20 Version: unspecified < 9.9.2.74 Version: unspecified < 9.10.1.42 Version: unspecified < 9.13.1.10 Version: unspecified < 9.14.1.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:37:54.107Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-3452",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T15:34:29.959713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-11-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3452"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T01:45:37.610Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2021-11-03T00:00:00+00:00",
            "value": "CVE-2020-3452 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Adaptive Security Appliance (ASA) Software",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "9.6.4.42",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.8.4.20",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.9.2.74",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.10.1.42",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.13.1.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "9.14.1.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-07-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-15T17:06:12.000Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
        }
      ],
      "source": {
        "advisory": "cisco-sa-asaftd-ro-path-KJuQhB86",
        "defect": [
          [
            "CSCvt03598"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2020-07-22T16:00:00",
          "ID": "CVE-2020-3452",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Adaptive Security Appliance (ASA) Software",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.6.4.42"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.8.4.20"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.9.2.74"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.10.1.42"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.13.1.10"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "9.14.1.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "7.5",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86"
            },
            {
              "name": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-asaftd-ro-path-KJuQhB86",
          "defect": [
            [
              "CSCvt03598"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-3452",
    "datePublished": "2020-07-22T20:00:22.049Z",
    "dateReserved": "2019-12-12T00:00:00.000Z",
    "dateUpdated": "2025-07-30T01:45:37.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CERTFR-2020-ALE-018

Vulnerability from certfr_alerte

Solution

CVE-2020-3452 (GCVE-0-2020-3452)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature