CVE-2019-18375 - OpenCVE

The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Broadcom	Symantec Proxysg Advanced Secure Gateway

Configuration 1 [-]

OR	cpe:2.3:a:broadcom:advanced_secure_gateway::::::::
	cpe:2.3:a:broadcom:advanced_secure_gateway::::::::

Configuration 2 [-]

OR	cpe:2.3:a:broadcom:symantec_proxysg::::::::
	cpe:2.3:a:broadcom:symantec_proxysg::::::::

References

Link	Resource
https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: symantec

Published: 2020-04-09T23:16:17

Updated: 2020-04-09T23:16:17

Reserved: 2019-10-23T00:00:00

Link: CVE-2019-18375

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-04-10T00:15:11.160

Modified: 2021-07-08T16:37:44.830

Link: CVE-2019-18375

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Symantec Advanced Secure Gateway (ASG) and ProxySG", "vendor": "n/a", "versions": [{"status": "affected", "version": "ASG 6.7.4 prior to 6.7.4.10, ASG 7.x prior to 7.2.0.1, ProxySG 6.7.4 prior to 6.7.4.10, ProxySG 7.x prior to 7.2.0.1"}]}], "descriptions": [{"lang": "en", "value": "The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console."}], "problemTypes": [{"descriptions": [{"description": "Session hijacking", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-09T23:16:17", "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@symantec.com", "ID": "CVE-2019-18375", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Symantec Advanced Secure Gateway (ASG) and ProxySG", "version": {"version_data": [{"version_value": "ASG 6.7.4 prior to 6.7.4.10, ASG 7.x prior to 7.2.0.1, ProxySG 6.7.4 prior to 6.7.4.10, ProxySG 7.x prior to 7.2.0.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Session hijacking"}]}]}, "references": {"reference_data": [{"name": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752", "refsource": "MISC", "url": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752"}]}}}}, "cveMetadata": {"assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "assignerShortName": "symantec", "cveId": "CVE-2019-18375", "datePublished": "2020-04-09T23:16:17", "dateReserved": "2019-10-23T00:00:00", "dateUpdated": "2020-04-09T23:16:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:advanced_secure_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E268AFF2-E368-4574-9CE4-923C9C510E24", "versionEndExcluding": "6.7.4.10", "versionStartIncluding": "6.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:advanced_secure_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED2A0D93-FEEC-43B1-9766-032B87E88C38", "versionEndExcluding": "7.2.0.1", "versionStartIncluding": "7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:symantec_proxysg:*:*:*:*:*:*:*:*", "matchCriteriaId": "250EAC78-79F0-4ACF-86DB-54A6826832A8", "versionEndExcluding": "6.7.4.10", "versionStartIncluding": "6.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:symantec_proxysg:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C91A22D-A943-4DA8-8557-1B4EDB392D09", "versionEndExcluding": "7.2.0.1", "versionStartIncluding": "7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console."}, {"lang": "es", "value": "Las consolas de administraci\u00f3n de ASG y ProxySG, son susceptibles a una vulnerabilidad de secuestro de sesi\u00f3n. Un atacante remoto, con acceso a la interfaz de administraci\u00f3n del dispositivo, puede secuestrar la sesi\u00f3n de un usuario actualmente registrado y acceder a la consola de administraci\u00f3n."}], "id": "CVE-2019-18375", "lastModified": "2021-07-08T16:37:44.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-10T00:15:11.160", "references": [{"source": "secure@symantec.com", "tags": ["Vendor Advisory"], "url": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752"}], "sourceIdentifier": "secure@symantec.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}