Details of VAR-202204-1332

ID

VAR-202204-1332

CVE

CVE-2022-20790

TITLE

Cisco Unified Communications Manager Path traversal vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202204-3895

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the underlying operating system. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.08

sources: NVD: CVE-2022-20790 // VULHUB: VHN-405343 // VULMON: CVE-2022-20790

AFFECTED PRODUCTS

vendor:

cisco

model:

unified communications manager

scope:

lte

version:

14.0

Trust: 1.0

sources: NVD: CVE-2022-20790

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20790
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20790
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202204-3895
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-405343
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-20790
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-20790
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-405343
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-20790
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 2.0

sources: VULHUB: VHN-405343 // VULMON: CVE-2022-20790 // CNNVD: CNNVD-202204-3895 // NVD: CVE-2022-20790 // NVD: CVE-2022-20790

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	CWE-23	Trust: 1.0

sources: VULHUB: VHN-405343 // NVD: CVE-2022-20790

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3895

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202204-3895

PATCH

title:	Cisco Unified Communications Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190176	Trust: 0.6
title:	Cisco: Cisco Unified Communications Products Arbitrary File Read Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ucm-file-read-h8h4HEJ3	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-20790 // CNNVD: CNNVD-202204-3895

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20790	Trust: 1.8
db:	CS-HELP	id:	SB2022042111	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-3895	Trust: 0.6
db:	CNVD	id:	CNVD-2022-44704	Trust: 0.1
db:	VULHUB	id:	VHN-405343	Trust: 0.1
db:	VULMON	id:	CVE-2022-20790	Trust: 0.1

sources: VULHUB: VHN-405343 // VULMON: CVE-2022-20790 // CNNVD: CNNVD-202204-3895 // NVD: CVE-2022-20790

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ucm-file-read-h8h4hej3	Trust: 2.4
url:	https://www.cybersecurity-help.cz/vdb/sb2022042111	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-20790/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-unified-communications-manager-directory-traversal-38119	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/22.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ucm-file-read-h8h4hej3	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-405343 // VULMON: CVE-2022-20790 // CNNVD: CNNVD-202204-3895 // NVD: CVE-2022-20790

SOURCES

db:	VULHUB	id:	VHN-405343
db:	VULMON	id:	CVE-2022-20790
db:	CNNVD	id:	CNNVD-202204-3895
db:	NVD	id:	CVE-2022-20790

LAST UPDATE DATE

2024-08-14T14:18:00.917000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405343	date:	2022-05-03T00:00:00
db:	VULMON	id:	CVE-2022-20790	date:	2023-11-07T00:00:00
db:	CNNVD	id:	CNNVD-202204-3895	date:	2022-05-05T00:00:00
db:	NVD	id:	CVE-2022-20790	date:	2023-11-07T03:42:57.763

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405343	date:	2022-04-21T00:00:00
db:	VULMON	id:	CVE-2022-20790	date:	2022-04-21T00:00:00
db:	CNNVD	id:	CNNVD-202204-3895	date:	2022-04-20T00:00:00
db:	NVD	id:	CVE-2022-20790	date:	2022-04-21T19:15:08.687