Details of VAR-202204-1586

ID

VAR-202204-1586

CVE

CVE-2022-20732

TITLE

Cisco Virtualized Infrastructure Manager Access control error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202204-3928

DESCRIPTION

A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device. This vulnerability is due to improper access permissions for certain configuration files. An attacker with low-privileged credentials could exploit this vulnerability by accessing an affected device and reading the affected configuration files. A successful exploit could allow the attacker to obtain internal database credentials, which the attacker could use to view and modify the contents of the database. The attacker could use this access to the database to elevate privileges on the affected device. Cisco Virtualized Infrastructure Manager is a fully automated cloud lifecycle management system from Cisco

Trust: 1.08

sources: NVD: CVE-2022-20732 // VULHUB: VHN-405285 // VULMON: CVE-2022-20732

AFFECTED PRODUCTS

vendor:

cisco

model:

virtualized infrastructure manager

scope:

version:

4.2.2

Trust: 1.0

sources: NVD: CVE-2022-20732

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20732
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20732
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202204-3928
value:	HIGH
Trust: 0.6
VULHUB:	VHN-405285
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-20732
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-20732
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-405285
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-20732
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0

sources: VULHUB: VHN-405285 // VULMON: CVE-2022-20732 // CNNVD: CNNVD-202204-3928 // NVD: CVE-2022-20732 // NVD: CVE-2022-20732

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.1
problemtype:	CWE-284	Trust: 1.0

sources: VULHUB: VHN-405285 // NVD: CVE-2022-20732

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202204-3928

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202204-3928

PATCH

title:	Cisco Virtualized Infrastructure Manager Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190421	Trust: 0.6
title:	Cisco: Cisco Virtualized Infrastructure Manager Privilege Escalation Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-vim-privesc-T2tsFUf	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-20732 // CNNVD: CNNVD-202204-3928

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20732	Trust: 1.8
db:	CS-HELP	id:	SB2022042125	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1733	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-3928	Trust: 0.6
db:	CNVD	id:	CNVD-2022-46475	Trust: 0.1
db:	VULHUB	id:	VHN-405285	Trust: 0.1
db:	VULMON	id:	CVE-2022-20732	Trust: 0.1

sources: VULHUB: VHN-405285 // VULMON: CVE-2022-20732 // CNNVD: CNNVD-202204-3928 // NVD: CVE-2022-20732

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-vim-privesc-t2tsfuf	Trust: 2.5
url:	https://www.cybersecurity-help.cz/vdb/sb2022042125	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1733	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-20732/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/276.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-405285 // VULMON: CVE-2022-20732 // CNNVD: CNNVD-202204-3928 // NVD: CVE-2022-20732

SOURCES

db:	VULHUB	id:	VHN-405285
db:	VULMON	id:	CVE-2022-20732
db:	CNNVD	id:	CNNVD-202204-3928
db:	NVD	id:	CVE-2022-20732

LAST UPDATE DATE

2024-11-23T22:10:47.425000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405285	date:	2022-05-03T00:00:00
db:	VULMON	id:	CVE-2022-20732	date:	2023-11-07T00:00:00
db:	CNNVD	id:	CNNVD-202204-3928	date:	2022-05-05T00:00:00
db:	NVD	id:	CVE-2022-20732	date:	2024-11-21T06:43:26.300

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405285	date:	2022-04-21T00:00:00
db:	VULMON	id:	CVE-2022-20732	date:	2022-04-21T00:00:00
db:	CNNVD	id:	CNNVD-202204-3928	date:	2022-04-20T00:00:00
db:	NVD	id:	CVE-2022-20732	date:	2022-04-21T19:15:08.230