JVN#17806703: Multiple vulnerabilities in Cisco Firepower Management Center Software

Overview

Cisco Firepower Management Center Software provided by Cisco Systems contains multiple vulnerabilities.

Products Affected

CVE-2023-20219

Cisco Firepower Management Center Software version 6.7.0 to 7.3.1.1

CVE-2023-20220

Cisco Firepower Management Center Software version 6.2.3 to 7.3.1.1

Description

Cisco Firepower Management Center Software provided by Cisco Systems contains multiple vulnerabilities listed below.

OS command injection (CWE-78) - CVE-2023-20219

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.6

CVSS v2 AV:N/AC:H/Au:S/C:C/I:C/A:C Base Score: 7.1
Path traversal (CWE-22) - CVE-2023-20220

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 7.2

CVSS v2 AV:N/AC:H/Au:S/C:C/I:C/A:C Base Score: 7.1

Impact

A user who can log in to the product may execute an arbitrary command - CVE-2023-20219, CVE-2023-20220

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
Cisco Systems	Cisco Firepower Management Center Software Command Injection Vulnerabilities
	Cisco Software Checker

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kentaro Kawane of LAC Co., Ltd. reported these vulnerabilitis to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2023-20219
	CVE-2023-20220
JVN iPedia	JVNDB-2023-000114

CVSS v3	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 6.6
CVSS v2	AV:N/AC:H/Au:S/C:C/I:C/A:C	Base Score: 7.1

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 7.2
CVSS v2	AV:N/AC:H/Au:S/C:C/I:C/A:C	Base Score: 7.1

JVN#17806703 Multiple vulnerabilities in Cisco Firepower Management Center Software