ID

VAR-202207-0225


CVE

CVE-2022-20859


TITLE

plural  Cisco  Product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-016228

DESCRIPTION

A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to. This vulnerability is due to insufficient access control checks on the affected device. An attacker with read-only privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to perform a set of administrative actions they should not be able to. (DoS) It may be in a state. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.8

sources: NVD: CVE-2022-20859 // JVNDB: JVNDB-2022-016228 // VULHUB: VHN-405412 // VULMON: CVE-2022-20859

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications manager im and presence servicescope:ltversion:14.0su2

Trust: 1.0

vendor:ciscomodel:unity connectionscope:ltversion:14su2

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:14su2

Trust: 1.0

vendor:ciscomodel:unity connectionscope:gteversion:14.0

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:gteversion:14.0

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:gteversion:14.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco unity connectionscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified communications managerscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified communications manager im and presence servicescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-016228 // NVD: CVE-2022-20859

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20859
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20859
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20859
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202207-439
value: HIGH

Trust: 0.6

VULHUB: VHN-405412
value: HIGH

Trust: 0.1

VULMON: CVE-2022-20859
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2022-20859
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-405412
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-20859
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20859
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-20859
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-405412 // VULMON: CVE-2022-20859 // JVNDB: JVNDB-2022-016228 // CNNVD: CNNVD-202207-439 // NVD: CVE-2022-20859 // NVD: CVE-2022-20859

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-284

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

problemtype:CWE-863

Trust: 0.1

sources: VULHUB: VHN-405412 // JVNDB: JVNDB-2022-016228 // NVD: CVE-2022-20859

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202207-439

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202207-439

PATCH

title:cisco-sa-ucm-access-dMKvV2DYurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-access-dMKvV2DY

Trust: 0.8

title:Cisco Unified Communications Manager Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=247278

Trust: 0.6

title:Cisco: Cisco Unified Communications Products Access Control Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ucm-access-dMKvV2DY

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-20859 // JVNDB: JVNDB-2022-016228 // CNNVD: CNNVD-202207-439

EXTERNAL IDS

db:NVDid:CVE-2022-20859

Trust: 3.4

db:JVNDBid:JVNDB-2022-016228

Trust: 0.8

db:AUSCERTid:ESB-2022.3303

Trust: 0.6

db:CS-HELPid:SB2022070621

Trust: 0.6

db:CNNVDid:CNNVD-202207-439

Trust: 0.6

db:CNVDid:CNVD-2022-50626

Trust: 0.1

db:VULHUBid:VHN-405412

Trust: 0.1

db:VULMONid:CVE-2022-20859

Trust: 0.1

sources: VULHUB: VHN-405412 // VULMON: CVE-2022-20859 // JVNDB: JVNDB-2022-016228 // CNNVD: CNNVD-202207-439 // NVD: CVE-2022-20859

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ucm-access-dmkvv2dy

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-20859

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-20859/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-communications-manager-unity-privilege-escalation-via-disaster-recovery-framework-38743

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022070621

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3303

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULHUB: VHN-405412 // VULMON: CVE-2022-20859 // JVNDB: JVNDB-2022-016228 // CNNVD: CNNVD-202207-439 // NVD: CVE-2022-20859

SOURCES

db:VULHUBid:VHN-405412
db:VULMONid:CVE-2022-20859
db:JVNDBid:JVNDB-2022-016228
db:CNNVDid:CNNVD-202207-439
db:NVDid:CVE-2022-20859

LAST UPDATE DATE

2024-08-14T13:53:11.887000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405412date:2022-07-14T00:00:00
db:VULMONid:CVE-2022-20859date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2022-016228date:2023-10-03T05:36:00
db:CNNVDid:CNNVD-202207-439date:2023-07-25T00:00:00
db:NVDid:CVE-2022-20859date:2023-11-07T03:43:08.637

SOURCES RELEASE DATE

db:VULHUBid:VHN-405412date:2022-07-06T00:00:00
db:VULMONid:CVE-2022-20859date:2022-07-06T00:00:00
db:JVNDBid:JVNDB-2022-016228date:2023-10-03T00:00:00
db:CNNVDid:CNNVD-202207-439date:2022-07-06T00:00:00
db:NVDid:CVE-2022-20859date:2022-07-06T21:15:11.797