漏洞标题
Cisco Security Manager Java反序列化漏洞
漏洞描述信息
Cisco Security Manager使用的Java反序列化功能存在多个漏洞,未经身份验证的远程攻击者可能利用这些漏洞在受影响设备上执行任意命令。这些漏洞是由于受影响软件对用户提供的内容进行不安全的反序列化造成的。攻击者可以通过向受影响系统上的特定侦听器发送恶意序列化的Java对象来利用这些漏洞。成功利用这些漏洞后,攻击者可能在Windows目标主机上以NT AUTHORITY\SYSTEM权限在设备上执行任意命令。Cisco尚未发布修复这些漏洞的软件更新。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
Cisco Security Manager Java Deserialization Vulnerabilities
漏洞描述信息
Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host. Cisco has not released software updates that address these vulnerabilities.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
输入验证不恰当
漏洞标题
Cisco Security Manager 代码问题漏洞
漏洞描述信息
Cisco Security Manager(CSM)是美国思科(Cisco)公司的一套企业级的管理应用,它主要用于在Cisco网络和安全设备上配置防火墙、VPN和入侵保护安全服务。 Cisco Security Manager 存在代码问题漏洞,该漏洞源于受影响的软件对用户提供的内容进行了不安全的反序列化。攻击者可利用该漏洞可以通过向受影响系统上的特定侦听器发送恶意的序列化Java对象来利用这些漏洞。成功的利用可导致在受影响的设备上执行任意命令。
CVSS信息
N/A
漏洞类别
代码问题