Vulnerability Name:

CVE-2013-3383 (CCN-85282)

Assigned:2013-06-26
Published:2013-06-26
Updated:2013-06-28
Summary:The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL sent over IPv4, aka Bug ID CSCzv69294.
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
6.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
6.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-94
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2013-3383

Source: CCN
Type: cisco-sa-20130626-wsa
Multiple Vulnerabilities in Cisco Web Security Appliance

Source: CISCO
Type: Vendor Advisory
20130626 Multiple Vulnerabilities in Cisco Web Security Appliance

Source: CCN
Type: BID-60804
Cisco Web Security Appliance CVE-2013-3383 Command Injection Vulnerability

Source: XF
Type: UNKNOWN
cisco-web-cve-20133383-command-exec(85282)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:cisco:ironport_asyncos:*:*:*:*:*:*:*:* (Version <= 7.1.3)
  • OR cpe:/o:cisco:ironport_asyncos:7.5:*:*:*:*:*:*:*
  • OR cpe:/o:cisco:ironport_asyncos:7.7:*:*:*:*:*:*:*
  • AND
  • cpe:/h:cisco:web_security_appliance:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:cisco:web_security_appliance:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco ironport asyncos *
    cisco ironport asyncos 7.5
    cisco ironport asyncos 7.7
    cisco web security appliance -
    cisco web security appliance *