CVE-2009-4455

Name of the Vulnerable Software and Affected Versions Cisco ASA versions 7.0 through 8.2

Description The default configuration of Cisco ASA allows portal traffic to access arbitrary backend servers. This might allow remote authenticated users to bypass intended access restrictions and access unauthorized web sites via a crafted URL. The issue was initially reported in relation to the Cisco WebVPN bookmark component, but the vendor clarified that the bookmark feature is not a security feature.

Recommendations For Cisco ASA versions 7.0 through 8.2, consider restricting access to arbitrary backend servers to minimize the risk of exploitation. As a temporary workaround, limit the URLs that can be accessed through the portal traffic. At the moment, there is no information about a newer version that contains a fix for this vulnerability.