Details of VAR-202207-0228

ID

VAR-202207-0228

CVE

CVE-2022-20862

TITLE

Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-016225

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the operating system. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Attackers can use this vulnerability to read arbitrary files on the host and obtain sensitive information

Trust: 1.8

sources: NVD: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // VULHUB: VHN-405415 // VULMON: CVE-2022-20862

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	lt	version:	14su2	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lt	version:	12.5\(1\)su6	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	gte	version:	14.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco unified communications manager	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified communications manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-016225 // NVD: CVE-2022-20862

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20862
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20862
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-20862
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202207-441
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-405415
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-20862
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-20862
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-405415
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-20862
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 2.0
NVD:	CVE-2022-20862
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-405415 // VULMON: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // CNNVD: CNNVD-202207-441 // NVD: CVE-2022-20862 // NVD: CVE-2022-20862

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	CWE-23	Trust: 1.0
problemtype:	Path traversal (CWE-22) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-405415 // JVNDB: JVNDB-2022-016225 // NVD: CVE-2022-20862

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202207-441

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202207-441

PATCH

title:	cisco-sa-ucm-file-read-qgjhEc3A	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-file-read-qgjhEc3A	Trust: 0.8
title:	Cisco Unified Communications Manager Repair measures for path traversal vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=199991	Trust: 0.6
title:	Cisco: Cisco Unified Communications Manager Arbitrary File Read Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ucm-file-read-qgjhEc3A	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // CNNVD: CNNVD-202207-441

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20862	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-016225	Trust: 0.8
db:	CS-HELP	id:	SB2022070621	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.3309	Trust: 0.6
db:	CNNVD	id:	CNNVD-202207-441	Trust: 0.6
db:	CNVD	id:	CNVD-2022-50631	Trust: 0.1
db:	VULHUB	id:	VHN-405415	Trust: 0.1
db:	VULMON	id:	CVE-2022-20862	Trust: 0.1

sources: VULHUB: VHN-405415 // VULMON: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // CNNVD: CNNVD-202207-441 // NVD: CVE-2022-20862

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ucm-file-read-qgjhec3a	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20862	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2022.3309	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-20862/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-unified-communications-manager-directory-traversal-38748	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022070621	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/22.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-405415 // VULMON: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // CNNVD: CNNVD-202207-441 // NVD: CVE-2022-20862

SOURCES

db:	VULHUB	id:	VHN-405415
db:	VULMON	id:	CVE-2022-20862
db:	JVNDB	id:	JVNDB-2022-016225
db:	CNNVD	id:	CNNVD-202207-441
db:	NVD	id:	CVE-2022-20862

LAST UPDATE DATE

2024-08-14T13:53:11.859000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405415	date:	2022-07-14T00:00:00
db:	VULMON	id:	CVE-2022-20862	date:	2023-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2022-016225	date:	2023-10-03T05:22:00
db:	CNNVD	id:	CNNVD-202207-441	date:	2022-07-15T00:00:00
db:	NVD	id:	CVE-2022-20862	date:	2023-11-07T03:43:09.217

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405415	date:	2022-07-06T00:00:00
db:	VULMON	id:	CVE-2022-20862	date:	2022-07-06T00:00:00
db:	JVNDB	id:	JVNDB-2022-016225	date:	2023-10-03T00:00:00
db:	CNNVD	id:	CNNVD-202207-441	date:	2022-07-06T00:00:00
db:	NVD	id:	CVE-2022-20862	date:	2022-07-06T21:15:11.847