ID

VAR-202004-1236


CVE

CVE-2020-3177


TITLE

Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition Past Traversal Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004774

DESCRIPTION

A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the TAPS interface of the affected device. An attacker could exploit this vulnerability by sending a crafted request to the TAPS interface. A successful exploit could allow the attacker to read arbitrary files in the system. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.71

sources: NVD: CVE-2020-3177 // JVNDB: JVNDB-2020-004774 // VULHUB: VHN-181302

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:12.0\(1.10000.10\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:eqversion:10.5\(2.10000.5\)

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope:eqversion:12.0\(1\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:eqversion:11.5\(1.10000.6\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:eqversion:12.5\(1.10000.22\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope: - version: -

Trust: 0.8

vendor:ciscomodel:unified contact center expressscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-004774 // NVD: CVE-2020-3177

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3177
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3177
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-004774
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202004-1103
value: HIGH

Trust: 0.6

VULHUB: VHN-181302
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3177
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-004774
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181302
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3177
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3177
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-004774
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181302 // JVNDB: JVNDB-2020-004774 // CNNVD: CNNVD-202004-1103 // NVD: CVE-2020-3177 // NVD: CVE-2020-3177

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

sources: VULHUB: VHN-181302 // JVNDB: JVNDB-2020-004774 // NVD: CVE-2020-3177

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1103

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202004-1103

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-004774

PATCH

title:cisco-sa-cucm-taps-path-trav-pfsFO93rurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-taps-path-trav-pfsFO93r

Trust: 0.8

title:Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=114628

Trust: 0.6

sources: JVNDB: JVNDB-2020-004774 // CNNVD: CNNVD-202004-1103

EXTERNAL IDS

db:NVDid:CVE-2020-3177

Trust: 2.5

db:JVNDBid:JVNDB-2020-004774

Trust: 0.8

db:CNNVDid:CNNVD-202004-1103

Trust: 0.7

db:NSFOCUSid:47638

Trust: 0.6

db:AUSCERTid:ESB-2020.1324

Trust: 0.6

db:CNVDid:CNVD-2020-25343

Trust: 0.1

db:VULHUBid:VHN-181302

Trust: 0.1

sources: VULHUB: VHN-181302 // JVNDB: JVNDB-2020-004774 // CNNVD: CNNVD-202004-1103 // NVD: CVE-2020-3177

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cucm-taps-path-trav-pfsfo93r

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-3177

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3177

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.1324/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-communications-manager-directory-traversal-via-taps-32041

Trust: 0.6

url:http://www.nsfocus.net/vulndb/47638

Trust: 0.6

sources: VULHUB: VHN-181302 // JVNDB: JVNDB-2020-004774 // CNNVD: CNNVD-202004-1103 // NVD: CVE-2020-3177

SOURCES

db:VULHUBid:VHN-181302
db:JVNDBid:JVNDB-2020-004774
db:CNNVDid:CNNVD-202004-1103
db:NVDid:CVE-2020-3177

LAST UPDATE DATE

2024-08-14T14:38:30.348000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181302date:2020-04-28T00:00:00
db:JVNDBid:JVNDB-2020-004774date:2020-05-27T00:00:00
db:CNNVDid:CNNVD-202004-1103date:2020-08-12T00:00:00
db:NVDid:CVE-2020-3177date:2020-04-28T18:31:59.813

SOURCES RELEASE DATE

db:VULHUBid:VHN-181302date:2020-04-15T00:00:00
db:JVNDBid:JVNDB-2020-004774date:2020-05-27T00:00:00
db:CNNVDid:CNNVD-202004-1103date:2020-04-15T00:00:00
db:NVDid:CVE-2020-3177date:2020-04-15T21:15:35.263