CVE-2014-3314

Cisco AnyConnect on Android and OS X does not properly verify the host type, which allows remote attackers to spoof authentication forms and possibly capture credentials via unspecified vectors, aka Bug IDs CSCuo24931 and CSCuo24940.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3314	Vendor Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3314	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:android:*:*

Configuration 2 (hide)

cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:macos:*:*

History

21 Nov 2024, 02:07

Type	Values Removed	Values Added
References	~~() http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3314 - Vendor Advisory~~	() http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3314 - Vendor Advisory

Information

Published : 2015-01-14 19:59

Updated : 2025-04-12 10:46

NVD link : CVE-2014-3314

Mitre link : CVE-2014-3314

CVE.ORG link : CVE-2014-3314

JSON object : View

Products Affected

cisco

anyconnect_secure_mobility_client

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2014-3314", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-01-14T19:59:00.053", "references": [{"url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3314", "tags": ["Vendor Advisory"], "source": "psirt@cisco.com"}, {"url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3314", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Cisco AnyConnect on Android and OS X does not properly verify the host type, which allows remote attackers to spoof authentication forms and possibly capture credentials via unspecified vectors, aka Bug IDs CSCuo24931 and CSCuo24940."}, {"lang": "es", "value": "Cisco AnyConnect en Android y OS X no verifica correctamente el tipo de anfitri\u00f3n, lo que permite a atacantes remotos falsificar los formularios de autenticaci\u00f3n y posiblemente capturar credenciales a trav\u00e9s de vectores no especificados, tambi\u00e9n conocido como Bug IDs CSCuo24931 y CSCuo24940."}], "lastModified": "2025-04-12T10:46:40.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "12BB93A9-0CB4-48A6-8143-B2BF69DA8775"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:macos:*:*", "vulnerable": true, "matchCriteriaId": "78920BE8-99BD-408D-95C5-4CAE484CF232"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@cisco.com"}