Details of VAR-202204-0862

ID

VAR-202204-0862

CVE

CVE-2022-20695

TITLE

Cisco Wireless LAN Controller Software Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-011198

DESCRIPTION

A vulnerability in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to bypass authentication controls and log in to the device through the management interface This vulnerability is due to the improper implementation of the password validation algorithm. An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials. A successful exploit could allow the attacker to bypass authentication and log in to the device as an administrator. The attacker could obtain privileges that are the same level as an administrative user but it depends on the crafted credentials. Note: This vulnerability exists because of a non-default device configuration that must be present for it to be exploitable. For details about the vulnerable configuration, see the Vulnerable Products section of this advisory. (DoS) It may be in a state. Cisco Wireless LAN Controller (WLC) is a wireless LAN controller product of Cisco (Cisco). The product provides security policy, intrusion detection and other functions in the wireless local area network

Trust: 2.25

sources: NVD: CVE-2022-20695 // JVNDB: JVNDB-2022-011198 // CNVD: CNVD-2022-46481 // VULMON: CVE-2022-20695

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-46481

AFFECTED PRODUCTS

vendor:	cisco	model:	wireless lan controller 8.10.151.0	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	wireless lan controller 8.10.162.0	scope:	eq	version:	*	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco wireless lan controller	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco wireless lan controller	scope:	eq	version:	-	Trust: 0.8
vendor:	cisco	model:	wireless lan controller	scope:	eq	version:	8.10.151.0	Trust: 0.6
vendor:	cisco	model:	wireless lan controller	scope:	eq	version:	8.10.162.0	Trust: 0.6

sources: CNVD: CNVD-2022-46481 // JVNDB: JVNDB-2022-011198 // NVD: CVE-2022-20695

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20695
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20695
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-20695
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2022-46481
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202204-3313
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2022-20695
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2022-20695
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-46481
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-20695
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.1
Trust: 2.0
NVD:	CVE-2022-20695
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-46481 // VULMON: CVE-2022-20695 // JVNDB: JVNDB-2022-011198 // CNNVD: CNNVD-202204-3313 // NVD: CVE-2022-20695 // NVD: CVE-2022-20695

PROBLEMTYPE DATA

problemtype:	CWE-303	Trust: 1.0
problemtype:	CWE-287	Trust: 1.0
problemtype:	Inappropriate authentication (CWE-287) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-011198 // NVD: CVE-2022-20695

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3313

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202204-3313

PATCH

title:	cisco-sa-wlc-auth-bypass-JRNhV4fF	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-auth-bypass-JRNhV4fF	Trust: 0.8
title:	Patch for Cisco Wireless LAN Controller Authentication Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/336706	Trust: 0.6
title:	Cisco Wireless LAN Controller Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=192810	Trust: 0.6
title:	Cisco: Cisco Wireless LAN Controller Management Interface Authentication Bypass Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-wlc-auth-bypass-JRNhV4fF	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: CNVD: CNVD-2022-46481 // VULMON: CVE-2022-20695 // JVNDB: JVNDB-2022-011198 // CNNVD: CNNVD-202204-3313

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20695	Trust: 3.9
db:	JVNDB	id:	JVNDB-2022-011198	Trust: 0.8
db:	CNVD	id:	CNVD-2022-46481	Trust: 0.6
db:	CS-HELP	id:	SB2022041420	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1623	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-3313	Trust: 0.6
db:	VULMON	id:	CVE-2022-20695	Trust: 0.1

sources: CNVD: CNVD-2022-46481 // VULMON: CVE-2022-20695 // JVNDB: JVNDB-2022-011198 // CNNVD: CNNVD-202204-3313 // NVD: CVE-2022-20695

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-wlc-auth-bypass-jrnhv4ff	Trust: 1.8
url:	https://vigilance.fr/vulnerability/cisco-wireless-lan-controller-code-execution-via-management-interface-38058	Trust: 1.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20695	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022041420	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-20695/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1623	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: CNVD: CNVD-2022-46481 // VULMON: CVE-2022-20695 // JVNDB: JVNDB-2022-011198 // CNNVD: CNNVD-202204-3313 // NVD: CVE-2022-20695

SOURCES

db:	CNVD	id:	CNVD-2022-46481
db:	VULMON	id:	CVE-2022-20695
db:	JVNDB	id:	JVNDB-2022-011198
db:	CNNVD	id:	CNNVD-202204-3313
db:	NVD	id:	CVE-2022-20695

LAST UPDATE DATE

2024-11-23T22:24:52.538000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-46481	date:	2022-06-21T00:00:00
db:	VULMON	id:	CVE-2022-20695	date:	2023-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2022-011198	date:	2023-08-21T04:25:00
db:	CNNVD	id:	CNNVD-202204-3313	date:	2022-05-16T00:00:00
db:	NVD	id:	CVE-2022-20695	date:	2024-11-21T06:43:20.707

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-46481	date:	2022-06-21T00:00:00
db:	VULMON	id:	CVE-2022-20695	date:	2022-04-15T00:00:00
db:	JVNDB	id:	JVNDB-2022-011198	date:	2023-08-21T00:00:00
db:	CNNVD	id:	CNNVD-202204-3313	date:	2022-04-13T00:00:00
db:	NVD	id:	CVE-2022-20695	date:	2022-04-15T15:15:12.917