Details of VAR-202207-1553

ID

VAR-202207-1553

CVE

CVE-2022-20860

TITLE

Cisco Nexus Dashboard Certificate validation vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2022-015664

DESCRIPTION

A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to alter communications with associated controllers or view sensitive information. This vulnerability exists because SSL server certificates are not validated when Cisco Nexus Dashboard is establishing a connection to Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud APIC, or Cisco Nexus Dashboard Fabric Controller, formerly Data Center Network Manager (DCNM) controllers. An attacker could exploit this vulnerability by using man-in-the-middle techniques to intercept the traffic between the affected device and the controllers, and then using a crafted certificate to impersonate the controllers. A successful exploit could allow the attacker to alter communications between devices or view sensitive information, including Administrator credentials for these controllers. Cisco Nexus Dashboard is a single console of Cisco (Cisco). It can simplify the operation and management of the data center network

Trust: 1.8

sources: NVD: CVE-2022-20860 // JVNDB: JVNDB-2022-015664 // VULHUB: VHN-405413 // VULMON: CVE-2022-20860

AFFECTED PRODUCTS

vendor:	cisco	model:	nexus dashboard	scope:	lt	version:	2.2\(1h\)	Trust: 1.0
vendor:	cisco	model:	nexus dashboard	scope:	gte	version:	1.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco nexus dashboard	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco nexus dashboard	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-015664 // NVD: CVE-2022-20860

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20860
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20860
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-20860
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202207-2116
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-20860
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	5.2
version:	3.1
Trust: 2.0
NVD:	CVE-2022-20860
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-015664 // CNNVD: CNNVD-202207-2116 // NVD: CVE-2022-20860 // NVD: CVE-2022-20860

PROBLEMTYPE DATA

problemtype:	CWE-295	Trust: 1.1
problemtype:	Illegal certificate verification (CWE-295) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-405413 // JVNDB: JVNDB-2022-015664 // NVD: CVE-2022-20860

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202207-2116

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202207-2116

PATCH

title:	cisco-sa-nd-tlsvld-TbAQLp3N	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nd-tlsvld-TbAQLp3N	Trust: 0.8
title:	Cisco Nexus Dashboard Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=200872	Trust: 0.6
title:	Cisco: Cisco Nexus Dashboard SSL Certificate Validation Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-nd-tlsvld-TbAQLp3N	Trust: 0.1

sources: VULMON: CVE-2022-20860 // JVNDB: JVNDB-2022-015664 // CNNVD: CNNVD-202207-2116

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20860	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-015664	Trust: 0.8
db:	CNNVD	id:	CNNVD-202207-2116	Trust: 0.7
db:	CS-HELP	id:	SB2022072129	Trust: 0.6
db:	VULHUB	id:	VHN-405413	Trust: 0.1
db:	VULMON	id:	CVE-2022-20860	Trust: 0.1

sources: VULHUB: VHN-405413 // VULMON: CVE-2022-20860 // JVNDB: JVNDB-2022-015664 // CNNVD: CNNVD-202207-2116 // NVD: CVE-2022-20860

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-nd-tlsvld-tbaqlp3n	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20860	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-20860/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022072129	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-405413 // VULMON: CVE-2022-20860 // JVNDB: JVNDB-2022-015664 // CNNVD: CNNVD-202207-2116 // NVD: CVE-2022-20860

SOURCES

db:	VULHUB	id:	VHN-405413
db:	VULMON	id:	CVE-2022-20860
db:	JVNDB	id:	JVNDB-2022-015664
db:	CNNVD	id:	CNNVD-202207-2116
db:	NVD	id:	CVE-2022-20860

LAST UPDATE DATE

2024-08-14T14:31:03.398000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405413	date:	2022-07-27T00:00:00
db:	VULMON	id:	CVE-2022-20860	date:	2022-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2022-015664	date:	2023-09-28T05:30:00
db:	CNNVD	id:	CNNVD-202207-2116	date:	2022-07-28T00:00:00
db:	NVD	id:	CVE-2022-20860	date:	2023-11-07T03:43:08.823

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405413	date:	2022-07-21T00:00:00
db:	VULMON	id:	CVE-2022-20860	date:	2022-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2022-015664	date:	2023-09-28T00:00:00
db:	CNNVD	id:	CNNVD-202207-2116	date:	2022-07-20T00:00:00
db:	NVD	id:	CVE-2022-20860	date:	2022-07-21T04:15:10.417