Description
An unauthenticated, remote attacker might use a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software to conduct directory traversal attacks and read sensitive data on a targeted machine. A lack of sufficient input validation of URLs in HTTP requests performed by an affected device is the source of the vulnerability. An attacker could take advantage of this flaw by sending a specially crafted HTTP request to a device that contains directory traversal character sequences. A successful exploit could allow the attacker to view arbitrary files on the affected device’s web services file system. When the afflicted device is setup with WebVPN or AnyConnect functionality, the web services file system is enabled. This vulnerability cannot be used to get access to ASA or FTD system files or the underlying operating system (OS).
Recommendations
- Update to the latest version
