Advisory No: TZCERT/SA/2020/11/18
Date of First Release: 18th November 2020
Software Affected: Cisco Security Manager releases 4.21 and earlier.
The vulnerability exists in the Cisco Security Manager device and can allow an unauthenticated, remote attacker to gain access to sensitive information.
The vulnerability is caused by improper validation of directory traversal sequences on affected device. An unauthenticated, remote attacker can exploit this vulnerability, by sending specially crafted URI that contains directory traversal characters, which can disclose the contents of files that are located outside of the server’s restricted path.
Successful exploitation of the vulnerability could allow an adversary to gain access to sensitive information.
Cisco has not issued any workaround that addresses this vulnerability; however, Cisco has released software updates for the product. Users and administrators are advised to apply cisco updates.