Severity
Medium
Analysis Summary
CVE-2022-20866 CVSS:7.4
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software could allow a remote attacker to obtain sensitive information, caused by a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. By utilize side-channel attack techniques, an attacker could exploit this vulnerability to obtain the RSA private key information, and use this information to launch further attacks against the affected system.
CVE-2022-20713 CVSS:4.3
Cisco Adaptive Security Appliance Software is vulnerable to HTTP request smuggling, caused by improper validation of input passed to the Clientless SSL VPN component. By persuading a victim to visit a specially-crafted Website, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Impact
- Information Disclosure
- Unauthorized Access
Indicators Of Compromise
CVE
- CVE-2022-20866
- CVE-2022-20713
Affected Vendors
Cisco
Affected Products
- Cisco Firepower Threat Defense Software 7.0.0
- Cisco Firepower Threat Defense Software 7.1.0
- Cisco Adaptive Security Appliance Software 9.16
- Cisco Adaptive Security Appliance Software 9.17
- Cisco Adaptive Security Appliance Software 9.18
- Cisco Firepower Threat Defense Software 7.2.0
Remediation
Refer to Cisco Security Advisory for patch, upgrade or suggested workaround information.