CVE-2020-26065

Summary

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to view arbitrary files on the affected system.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco SD-WAN vManage17.2.6affected
CiscoCisco SD-WAN vManage17.2.7affected
CiscoCisco SD-WAN vManage17.2.8affected
CiscoCisco SD-WAN vManage17.2.9affected
CiscoCisco SD-WAN vManage17.2.10affected
CiscoCisco SD-WAN vManage17.2.4affected
CiscoCisco SD-WAN vManage17.2.5affected
CiscoCisco SD-WAN vManage18.3.1.1affected
CiscoCisco SD-WAN vManage18.3.3.1affected
CiscoCisco SD-WAN vManage18.3.3affected
CiscoCisco SD-WAN vManage18.3.4affected
CiscoCisco SD-WAN vManage18.3.5affected
CiscoCisco SD-WAN vManage18.3.7affected
CiscoCisco SD-WAN vManage18.3.8affected
CiscoCisco SD-WAN vManage18.3.6.1affected
CiscoCisco SD-WAN vManage18.3.1affected
CiscoCisco SD-WAN vManage18.3.0affected
CiscoCisco SD-WAN vManage18.4.0.1affected
CiscoCisco SD-WAN vManage18.4.3affected
CiscoCisco SD-WAN vManage18.4.302affected
CiscoCisco SD-WAN vManage18.4.303affected
CiscoCisco SD-WAN vManage18.4.4affected
CiscoCisco SD-WAN vManage18.4.5affected
CiscoCisco SD-WAN vManage18.4.0affected
CiscoCisco SD-WAN vManage18.4.1affected
CiscoCisco SD-WAN vManage19.2.0affected
CiscoCisco SD-WAN vManage19.2.097affected
CiscoCisco SD-WAN vManage19.2.099affected
CiscoCisco SD-WAN vManage19.2.1affected
CiscoCisco SD-WAN vManage19.2.2affected
CiscoCisco SD-WAN vManage19.2.3affected
CiscoCisco SD-WAN vManage19.2.31affected
CiscoCisco SD-WAN vManage19.2.929affected
CiscoCisco SD-WAN vManage20.1.1.1affected
CiscoCisco SD-WAN vManage20.1.12affected
CiscoCisco SD-WAN vManage20.1.1affected
CiscoCisco SD-WAN vManage19.3.0affected
CiscoCisco SD-WAN vManage19.1.0affected
CiscoCisco SD-WAN vManage18.2.0affected
CiscoCisco SD-WAN vManage20.3.1affected

Weaknesses

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References