ID

VAR-202207-0228


CVE

CVE-2022-20862


TITLE

Cisco Unified Communications Manager  and  Cisco Unified Communications Manager Session Management Edition  Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-016225

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the operating system. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Attackers can use this vulnerability to read arbitrary files on the host and obtain sensitive information

Trust: 1.8

sources: NVD: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // VULHUB: VHN-405415 // VULMON: CVE-2022-20862

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:ltversion:14su2

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:12.5\(1\)su6

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:gteversion:14.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco unified communications managerscope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified communications managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-016225 // NVD: CVE-2022-20862

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20862
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20862
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20862
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202207-441
value: MEDIUM

Trust: 0.6

VULHUB: VHN-405415
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-20862
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-20862
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-405415
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-20862
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 2.0

NVD: CVE-2022-20862
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-405415 // VULMON: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // CNNVD: CNNVD-202207-441 // NVD: CVE-2022-20862 // NVD: CVE-2022-20862

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.1

problemtype:CWE-23

Trust: 1.0

problemtype:Path traversal (CWE-22) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405415 // JVNDB: JVNDB-2022-016225 // NVD: CVE-2022-20862

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202207-441

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202207-441

PATCH

title:cisco-sa-ucm-file-read-qgjhEc3Aurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-file-read-qgjhEc3A

Trust: 0.8

title:Cisco Unified Communications Manager Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=199991

Trust: 0.6

title:Cisco: Cisco Unified Communications Manager Arbitrary File Read Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ucm-file-read-qgjhEc3A

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // CNNVD: CNNVD-202207-441

EXTERNAL IDS

db:NVDid:CVE-2022-20862

Trust: 3.4

db:JVNDBid:JVNDB-2022-016225

Trust: 0.8

db:CS-HELPid:SB2022070621

Trust: 0.6

db:AUSCERTid:ESB-2022.3309

Trust: 0.6

db:CNNVDid:CNNVD-202207-441

Trust: 0.6

db:CNVDid:CNVD-2022-50631

Trust: 0.1

db:VULHUBid:VHN-405415

Trust: 0.1

db:VULMONid:CVE-2022-20862

Trust: 0.1

sources: VULHUB: VHN-405415 // VULMON: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // CNNVD: CNNVD-202207-441 // NVD: CVE-2022-20862

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ucm-file-read-qgjhec3a

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-20862

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2022.3309

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-20862/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-communications-manager-directory-traversal-38748

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022070621

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/22.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULHUB: VHN-405415 // VULMON: CVE-2022-20862 // JVNDB: JVNDB-2022-016225 // CNNVD: CNNVD-202207-441 // NVD: CVE-2022-20862

SOURCES

db:VULHUBid:VHN-405415
db:VULMONid:CVE-2022-20862
db:JVNDBid:JVNDB-2022-016225
db:CNNVDid:CNNVD-202207-441
db:NVDid:CVE-2022-20862

LAST UPDATE DATE

2024-08-14T13:53:11.859000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405415date:2022-07-14T00:00:00
db:VULMONid:CVE-2022-20862date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2022-016225date:2023-10-03T05:22:00
db:CNNVDid:CNNVD-202207-441date:2022-07-15T00:00:00
db:NVDid:CVE-2022-20862date:2023-11-07T03:43:09.217

SOURCES RELEASE DATE

db:VULHUBid:VHN-405415date:2022-07-06T00:00:00
db:VULMONid:CVE-2022-20862date:2022-07-06T00:00:00
db:JVNDBid:JVNDB-2022-016225date:2023-10-03T00:00:00
db:CNNVDid:CNNVD-202207-441date:2022-07-06T00:00:00
db:NVDid:CVE-2022-20862date:2022-07-06T21:15:11.847