Detections
Analytics
Cisco Web Security Appliance Information Disclosure (cisco-sa-esa-wsa-sma-info-gY2AEz2H)
medium Nessus Plugin ID 149843
Language:
Synopsis
The remote device is missing a vendor-supplied security patchDescription
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability exists because confidential information is included in HTTP requests that are exchanged between the user and the device. An attacker could exploit this vulnerability by looking at the raw HTTP requests that are sent to the interface. A successful exploit could allow the attacker to obtain some of the passwords that are configured throughout the interface.Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Solution
Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvv98333, CSCvv98363, CSCvv98379, CSCvv98401, CSCvv98422, CSCvv98448, CSCvv99117, CSCvv99534, CSCvw03419, CSCvw03505, CSCvw04276, CSCvw35465, CSCvw36748See Also
http://www.nessus.org/u?156a645c
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv98333
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv98363
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv98379
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv98401
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv98422
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv98448
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv99117
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv99534
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw03419
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw03505
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw04276
Plugin Details
Severity: Medium
ID: 149843
File Name: cisco-sa-esa-wsa-sma-info-gY2AEz2H_wsa.nasl
Version: 1.4
Type: combined
Family: CISCO
Published: 5/21/2021
Updated: 9/21/2023
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4
Temporal Score: 3
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS Score Source: CVE-2021-1516
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:cisco:web_security_appliance
Required KB Items: Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion, Host/AsyncOS/Cisco Web Security Appliance/Version
Exploit Ease: No known exploits are available
Patch Publication Date: 5/5/2021
Vulnerability Publication Date: 5/5/2021
Reference Information
CVE: CVE-2021-1516
CWE: 540
CISCO-SA: cisco-sa-esa-wsa-sma-info-gY2AEz2H
IAVA: 2021-A-0244-S
CISCO-BUG-ID: CSCvv98333, CSCvv98363, CSCvv98379, CSCvv98401, CSCvv98422, CSCvv98448, CSCvv99117, CSCvv99534, CSCvw03419, CSCvw03505, CSCvw04276, CSCvw35465, CSCvw36748