ID

VAR-202204-1513


CVE

CVE-2022-20693


TITLE

Cisco IOS XE  in software  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-009571

DESCRIPTION

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI API. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges. (DoS) It may be in a state. Cisco IOS XE Software is an operating system of Cisco (Cisco). A single operating system for enterprise wired and wireless access, aggregation, core, and WAN, Cisco IOS XE reduces business and network complexity

Trust: 1.8

sources: NVD: CVE-2022-20693 // JVNDB: JVNDB-2022-009571 // VULHUB: VHN-405246 // VULMON: CVE-2022-20693

AFFECTED PRODUCTS

vendor:ciscomodel:ios xescope:eqversion:17.2.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.1z

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1y

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.3a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.1.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.5.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.6.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.2a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.4.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.4.2a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.1w

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1s

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.5.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.4.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1w

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.1.1s

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.2.1v

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.1x

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.4.1c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.3

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1x

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:3.15.1xbs

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.2.1r

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.2.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.6.1w

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.3a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.4b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.6.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.5a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1z2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.5b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.2s

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1z

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.4a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.2t

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.2.3

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.4.1b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1t

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.4.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.1.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.1.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.2a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:3.15.2xbs

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.1.3

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.2.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.4a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.4

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.3.4c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:17.1.1t

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.1z1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.4

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.6

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.5

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.3

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.3s

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.12.6a

Trust: 1.0

vendor:シスコシステムズmodel:cisco ios xescope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco ios xescope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-009571 // NVD: CVE-2022-20693

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20693
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20693
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20693
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202204-3350
value: HIGH

Trust: 0.6

VULHUB: VHN-405246
value: HIGH

Trust: 0.1

VULMON: CVE-2022-20693
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2022-20693
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-405246
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-20693
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20693
baseSeverity: MEDIUM
baseScore: 4.7
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.2
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-20693
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-405246 // VULMON: CVE-2022-20693 // JVNDB: JVNDB-2022-009571 // CNNVD: CNNVD-202204-3350 // NVD: CVE-2022-20693 // NVD: CVE-2022-20693

PROBLEMTYPE DATA

problemtype:CWE-74

Trust: 1.1

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405246 // JVNDB: JVNDB-2022-009571 // NVD: CVE-2022-20693

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3350

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202204-3350

PATCH

title:cisco-sa-webuiapi-inj-Nyrq92Odurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od

Trust: 0.8

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-20693 // JVNDB: JVNDB-2022-009571

EXTERNAL IDS

db:NVDid:CVE-2022-20693

Trust: 3.4

db:JVNDBid:JVNDB-2022-009571

Trust: 0.8

db:CS-HELPid:SB2022041419

Trust: 0.6

db:CNNVDid:CNNVD-202204-3350

Trust: 0.6

db:CNVDid:CNVD-2022-46474

Trust: 0.1

db:VULHUBid:VHN-405246

Trust: 0.1

db:VULMONid:CVE-2022-20693

Trust: 0.1

sources: VULHUB: VHN-405246 // VULMON: CVE-2022-20693 // JVNDB: JVNDB-2022-009571 // CNNVD: CNNVD-202204-3350 // NVD: CVE-2022-20693

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-webuiapi-inj-nyrq92od

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-20693

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022041419

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-20693/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-ios-xe-code-execution-via-web-ui-api-injection-38068

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULHUB: VHN-405246 // VULMON: CVE-2022-20693 // JVNDB: JVNDB-2022-009571 // CNNVD: CNNVD-202204-3350 // NVD: CVE-2022-20693

SOURCES

db:VULHUBid:VHN-405246
db:VULMONid:CVE-2022-20693
db:JVNDBid:JVNDB-2022-009571
db:CNNVDid:CNNVD-202204-3350
db:NVDid:CVE-2022-20693

LAST UPDATE DATE

2024-08-14T14:44:00.158000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405246date:2022-04-25T00:00:00
db:VULMONid:CVE-2022-20693date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2022-009571date:2023-08-07T07:50:00
db:CNNVDid:CNNVD-202204-3350date:2023-07-25T00:00:00
db:NVDid:CVE-2022-20693date:2023-11-07T03:42:38.500

SOURCES RELEASE DATE

db:VULHUBid:VHN-405246date:2022-04-15T00:00:00
db:VULMONid:CVE-2022-20693date:2022-04-15T00:00:00
db:JVNDBid:JVNDB-2022-009571date:2023-08-07T00:00:00
db:CNNVDid:CNNVD-202204-3350date:2022-04-13T00:00:00
db:NVDid:CVE-2022-20693date:2022-04-15T15:15:12.823