Details of VAR-202205-0173

ID

VAR-202205-0173

CVE

CVE-2022-20780

TITLE

Cisco Enterprise NFV Infrastructure Software In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-010082

DESCRIPTION

Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory. Cisco Enterprise NFV Infrastructure Software (NFVIS) for, XML There is a vulnerability in an external entity.Information may be obtained

Trust: 1.8

sources: NVD: CVE-2022-20780 // JVNDB: JVNDB-2022-010082 // VULHUB: VHN-405333 // VULMON: CVE-2022-20780

AFFECTED PRODUCTS

vendor:	cisco	model:	enterprise nfv infrastructure software	scope:	lt	version:	4.7.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco enterprise nfv infrastructure software	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco enterprise nfv infrastructure software	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-010082 // NVD: CVE-2022-20780

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20780
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20780
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-20780
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202205-2130
value:	HIGH
Trust: 0.6
VULHUB:	VHN-405333
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-20780
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-20780
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-405333
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-20780
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.0
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20780
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2022-20780
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-405333 // VULMON: CVE-2022-20780 // JVNDB: JVNDB-2022-010082 // CNNVD: CNNVD-202205-2130 // NVD: CVE-2022-20780 // NVD: CVE-2022-20780

PROBLEMTYPE DATA

problemtype:	CWE-611	Trust: 1.1
problemtype:	CWE-284	Trust: 1.0
problemtype:	XML Improper restriction of external entity references (CWE-611) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-405333 // JVNDB: JVNDB-2022-010082 // NVD: CVE-2022-20780

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2130

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202205-2130

PATCH

title:	cisco-sa-NFVIS-MUL-7DySRX9	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9	Trust: 0.8
title:	Cisco Enterprise NFV Infrastructure Software Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191839	Trust: 0.6
title:	Cisco: Cisco Enterprise NFV Infrastructure Software Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-NFVIS-MUL-7DySRX9	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1
title:	The Register	url:	https://www.theregister.co.uk/2022/05/06/cisco-f5-networking-vulnerabilities/	Trust: 0.1

sources: VULMON: CVE-2022-20780 // JVNDB: JVNDB-2022-010082 // CNNVD: CNNVD-202205-2130

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20780	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-010082	Trust: 0.8
db:	CS-HELP	id:	SB2022050512	Trust: 0.6
db:	CNNVD	id:	CNNVD-202205-2130	Trust: 0.6
db:	VULHUB	id:	VHN-405333	Trust: 0.1
db:	VULMON	id:	CVE-2022-20780	Trust: 0.1

sources: VULHUB: VHN-405333 // VULMON: CVE-2022-20780 // JVNDB: JVNDB-2022-010082 // CNNVD: CNNVD-202205-2130 // NVD: CVE-2022-20780

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-nfvis-mul-7dysrx9	Trust: 1.9
url:	https://github.com/orangecertcc/security-research/security/advisories/ghsa-hrpq-384f-vrpg	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20780	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-20780/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022050512	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/611.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.theregister.co.uk/2022/05/06/cisco-f5-networking-vulnerabilities/	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-405333 // VULMON: CVE-2022-20780 // JVNDB: JVNDB-2022-010082 // CNNVD: CNNVD-202205-2130 // NVD: CVE-2022-20780

SOURCES

db:	VULHUB	id:	VHN-405333
db:	VULMON	id:	CVE-2022-20780
db:	JVNDB	id:	JVNDB-2022-010082
db:	CNNVD	id:	CNNVD-202205-2130
db:	NVD	id:	CVE-2022-20780

LAST UPDATE DATE

2024-08-14T14:43:55.711000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405333	date:	2022-05-11T00:00:00
db:	VULMON	id:	CVE-2022-20780	date:	2023-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2022-010082	date:	2023-08-10T06:32:00
db:	CNNVD	id:	CNNVD-202205-2130	date:	2022-05-12T00:00:00
db:	NVD	id:	CVE-2022-20780	date:	2023-11-07T03:42:55.773

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405333	date:	2022-05-04T00:00:00
db:	VULMON	id:	CVE-2022-20780	date:	2022-05-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-010082	date:	2023-08-10T00:00:00
db:	CNNVD	id:	CNNVD-202205-2130	date:	2022-05-04T00:00:00
db:	NVD	id:	CVE-2022-20780	date:	2022-05-04T17:15:08.620