CVE-2020-26082: Input Validation
First published: Fri Aug 04 2023(Updated: )
A vulnerability in the zip decompression engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass content filters that are configured on an affected device. The vulnerability is due to improper handling of password-protected zip files. An attacker could exploit this vulnerability by sending a malicious file inside a crafted zip-compressed file to an affected device. A successful exploit could allow the attacker to bypass configured content filters that would normally drop the email.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco AsyncOS Software | <13.5.2 | |
| Cisco AsyncOS Software for Cisco Email Security Appliances | ||
| Cisco Email Security Appliance | ||
| Cisco AsyncOS Software for Cisco Email Security Appliances | ||
| Cisco Email Security Appliance | ||
| Cisco Email Security Appliance C680 | ||
| Cisco Email Security Appliance C690 | ||
| Cisco Email Security Appliance | ||
| All of | ||
| Cisco AsyncOS Software | <13.5.2 | |
| Any of | ||
| Cisco AsyncOS Software for Cisco Email Security Appliances | ||
| Cisco Email Security Appliance | ||
| Cisco AsyncOS Software for Cisco Email Security Appliances | ||
| Cisco Email Security Appliance | ||
| Cisco Email Security Appliance C680 | ||
| Cisco Email Security Appliance C690 | ||
| Cisco Email Security Appliance |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-26082?
CVE-2020-26082 is a vulnerability in the zip decompression engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) that could allow an unauthenticated, remote attacker to bypass content filters.
What is the severity of CVE-2020-26082?
The severity of CVE-2020-26082 is medium with a CVSS score of 5.8.
How can an unauthenticated attacker exploit CVE-2020-26082?
An unauthenticated attacker can exploit CVE-2020-26082 by sending a specially crafted zip file to the affected device.
Is there a fix available for CVE-2020-26082?
Yes, Cisco has released software updates to address CVE-2020-26082.
Where can I find more information about CVE-2020-26082?
You can find more information about CVE-2020-26082 on the Cisco Security Advisory website.
- collector/nvd-latest
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/first-publish-date
- agent/event
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/cisco
- canonical/cisco asyncos software
- canonical/cisco asyncos software for cisco email security appliances
- canonical/cisco email security appliance
- canonical/cisco email security appliance c680
- canonical/cisco email security appliance c690