CVE & CISA-KEV Catalog

CVE-2020-3297

CRITICALEPSS 86th pctl
9.8
CVSS v3
NVD

Description

A vulnerability in session management for the web-based interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to defeat authentication protections and gain unauthorized access to the management interface. The attacker could obtain the privileges of the highjacked session account, which could include administrator privileges on the device. The vulnerability is due to the use of weak entropy generation for session identifier values. An attacker could exploit this vulnerability to determine a current session identifier through brute force and reuse that session identifier to take over an ongoing session. In this way, an attacker could take actions within the management interface with privileges up to the level of the administrative user.

How to fix

Remediation Available
sf250-24 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf250-24p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf250-48 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf250-48hp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf350-48 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf350-48mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf350-48p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf550x-24 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf550x-24mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf550x-24p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf550x-48 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf550x-48mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sf550x-48p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-08 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-08hp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-10p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-18 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-26 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-26hp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-26p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-50 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-50hp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250-50p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250x-24 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250x-24p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250x-48 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg250x-48p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350-10 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350-10mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350-10p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350-28 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350-28mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350-28p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350x-24 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350x-24mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350x-24p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350x-48 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350x-48mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350x-48p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350xg-24f firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350xg-24t firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350xg-2f10 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg350xg-48t firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg355-10p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg550x-24 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg550x-24mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg550x-24mpp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg550x-24p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg550x-48 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg550x-48mp firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sg550x-48p firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sx550x-12f firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sx550x-16ft firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sx550x-24 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sx550x-24f firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sx550x-24ft firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD
sx550x-52 firmwareNVD
Affected:< 2.5.5.47Fixed in:2.5.5.47CVE-2020-3297derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

3.04%probability of exploitation in 30 days
86thpercentile

Elevated risk: more likely to be exploited than 86% of all known CVEs.

References

Vendor Advisory1

Related Vulnerabilities

Other CWE-287 (Improper Authentication) vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2023-35082Critical9.8100%KEV + RansomFix
CVE-2023-35078Critical9.8100%KEV + RansomFix
CVE-2017-7921Critical9.8100%KEV-
CVE-2024-7593Critical9.8100%KEV-
CVE-2023-46805High8.2100%KEV + Ransom-
CVE-2022-40684Critical9.8100%KEV + RansomFix
Embed a live status badge for CVE-2020-3297
CVE-2020-3297 severity badge

Markdown

[![CVE-2020-3297](https://tridentstack.com/cve/badge/CVE-2020-3297.svg)](https://tridentstack.com/cve/CVE-2020-3297)

HTML

<a href="https://tridentstack.com/cve/CVE-2020-3297"><img src="https://tridentstack.com/cve/badge/CVE-2020-3297.svg" alt="CVE-2020-3297"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.