Details of VAR-202204-0846

ID

VAR-202204-0846

CVE

CVE-2022-20735

TITLE

Cisco SD-WAN vManage Software Cross-site request forgery vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-011008

DESCRIPTION

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts. Cisco SD-WAN vManage Software is a management software for SD-WAN (Software Defined Wide Area Network) solutions from Cisco

Trust: 1.8

sources: NVD: CVE-2022-20735 // JVNDB: JVNDB-2022-011008 // VULHUB: VHN-405288 // VULMON: CVE-2022-20735

AFFECTED PRODUCTS

vendor:	cisco	model:	sd-wan vmanage	scope:	lt	version:	20.6.1	Trust: 1.0
vendor:	cisco	model:	catalyst sd-wan manager	scope:	eq	version:	20.7	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco sd-wan vmanage	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco sd-wan vmanage	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-011008 // NVD: CVE-2022-20735

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20735
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20735
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-20735
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202204-3459
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-405288
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-20735
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-20735
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-405288
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-20735
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 2.0
NVD:	CVE-2022-20735
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-405288 // VULMON: CVE-2022-20735 // JVNDB: JVNDB-2022-011008 // CNNVD: CNNVD-202204-3459 // NVD: CVE-2022-20735 // NVD: CVE-2022-20735

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.1
problemtype:	Cross-site request forgery (CWE-352) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-405288 // JVNDB: JVNDB-2022-011008 // NVD: CVE-2022-20735

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3459

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202204-3459

PATCH

title:	cisco-sa-sdwan-vmanage-csrf-rxQL4tXR	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vmanage-csrf-rxQL4tXR	Trust: 0.8
title:	Cisco SD-WAN vManage Software Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=189516	Trust: 0.6
title:	Cisco: Cisco SD-WAN vManage Software Cross-Site Request Forgery Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-sdwan-vmanage-csrf-rxQL4tXR	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-20735 // JVNDB: JVNDB-2022-011008 // CNNVD: CNNVD-202204-3459

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20735	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-011008	Trust: 0.8
db:	CS-HELP	id:	SB2022041502	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-3459	Trust: 0.6
db:	CNVD	id:	CNVD-2022-46477	Trust: 0.1
db:	VULHUB	id:	VHN-405288	Trust: 0.1
db:	VULMON	id:	CVE-2022-20735	Trust: 0.1

sources: VULHUB: VHN-405288 // VULMON: CVE-2022-20735 // JVNDB: JVNDB-2022-011008 // CNNVD: CNNVD-202204-3459 // NVD: CVE-2022-20735

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-sdwan-vmanage-csrf-rxql4txr	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20735	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-20735/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022041502	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-405288 // VULMON: CVE-2022-20735 // JVNDB: JVNDB-2022-011008 // CNNVD: CNNVD-202204-3459 // NVD: CVE-2022-20735

SOURCES

db:	VULHUB	id:	VHN-405288
db:	VULMON	id:	CVE-2022-20735
db:	JVNDB	id:	JVNDB-2022-011008
db:	CNNVD	id:	CNNVD-202204-3459
db:	NVD	id:	CVE-2022-20735

LAST UPDATE DATE

2024-08-14T13:53:28.287000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405288	date:	2022-05-13T00:00:00
db:	VULMON	id:	CVE-2022-20735	date:	2023-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2022-011008	date:	2023-08-18T06:12:00
db:	CNNVD	id:	CNNVD-202204-3459	date:	2022-05-16T00:00:00
db:	NVD	id:	CVE-2022-20735	date:	2023-11-07T03:42:47.627

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405288	date:	2022-04-15T00:00:00
db:	VULMON	id:	CVE-2022-20735	date:	2022-04-15T00:00:00
db:	JVNDB	id:	JVNDB-2022-011008	date:	2023-08-18T00:00:00
db:	CNNVD	id:	CNNVD-202204-3459	date:	2022-04-15T00:00:00
db:	NVD	id:	CVE-2022-20735	date:	2022-04-15T15:15:13.723