CVE-2014-2127

Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099.

CVSS v2.0 8.5 HIGH

8.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:S/C:C/I:C/A:C

Exploitability : 6.8 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa	Vendor Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:cisco:adaptive_security_appliance_software:8.0:::::::*
	cpe:2.3:o:cisco:adaptive_security_appliance_software:8.1:::::::*
	cpe:2.3:o:cisco:adaptive_security_appliance_software:8.2:::::::*
	cpe:2.3:o:cisco:adaptive_security_appliance_software:8.3\(1\):::::::*
	cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4:::::::*
	cpe:2.3:o:cisco:adaptive_security_appliance_software:8.6:::::::*
	cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0:::::::*
	cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1:::::::*

History

21 Nov 2024, 02:05

Type	Values Removed	Values Added
References	~~() http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa - Vendor Advisory~~	() http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa - Vendor Advisory

Information

Published : 2014-04-10 04:34

Updated : 2025-04-12 10:46

NVD link : CVE-2014-2127

Mitre link : CVE-2014-2127

CVE.ORG link : CVE-2014-2127

JSON object : View

Products Affected

cisco

adaptive_security_appliance_software

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2014-2127", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 8.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-04-10T04:34:50.960", "references": [{"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa", "tags": ["Vendor Advisory"], "source": "psirt@cisco.com"}, {"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099."}, {"lang": "es", "value": "Cisco Adaptive Security Appliance (ASA) Software 8.x anterior a 8.2(5.48), 8.3 anterior a 8.3(2.40), 8.4 anterior a 8.4(7.9), 8.6 anterior a 8.6(1.13), 9.0 anterior a 9.0(4.1) y 9.1 anterior a 9.1(4.3) no procesa debidamente informaci\u00f3n de sesi\u00f3n de gesti\u00f3n durante validaci\u00f3n de privilegios para conexiones de portal SSL VPN, lo que permite a usuarios remotos autenticados ganar privilegios mediante el establecimiento de una sesi\u00f3n SSL VPN sin cliente y la entrada a URLs manipuladas, tambi\u00e9n conocido como Bug ID CSCul70099."}], "lastModified": "2025-04-12T10:46:40.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AFE6E41-E5C3-48AA-A534-A1AF3E86E3F0"}, {"criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2185ED62-166C-4F43-ACA2-C1EF43C48D47"}, {"criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "785388F5-E76A-4762-B498-35F69CE537AA"}, {"criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:8.3\\(1\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31BA0ED9-6962-4E19-89A1-1724AADEC669"}, {"criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A914DE5-2269-451A-823A-B26AE1A7F980"}, {"criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:8.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BFCE154-6582-49E2-9B9D-641986B7D653"}, {"criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F995B807-32A2-401F-99D5-FBBA8B69E844"}, {"criteria": "cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B64230D9-75E1-40C0-8889-43F1035F5B60"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@cisco.com"}

8.5 /10