ID

VAR-202208-0217


CVE

CVE-2022-20914


TITLE

Cisco Identity Services Engine  Inadequate protection of credentials in software vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-016740

DESCRIPTION

A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF

Trust: 1.8

sources: NVD: CVE-2022-20914 // JVNDB: JVNDB-2022-016740 // VULHUB: VHN-405467 // VULMON: CVE-2022-20914

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:ltversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.1

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.0.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.7.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:gteversion:2.4.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco identity services enginescope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco identity services enginescope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-016740 // NVD: CVE-2022-20914

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20914
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20914
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20914
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202208-2131
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-20914
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.1

Trust: 2.0

NVD: CVE-2022-20914
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-016740 // CNNVD: CNNVD-202208-2131 // NVD: CVE-2022-20914 // NVD: CVE-2022-20914

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.1

problemtype:CWE-549

Trust: 1.0

problemtype:Inadequate protection of credentials (CWE-522) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405467 // JVNDB: JVNDB-2022-016740 // NVD: CVE-2022-20914

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202208-2131

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202208-2131

PATCH

title:cisco-sa-ise-pwd-WH64AhQFurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF

Trust: 0.8

title:Cisco Identity Services Engine Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=203522

Trust: 0.6

title:Cisco: Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-pwd-WH64AhQF

Trust: 0.1

sources: VULMON: CVE-2022-20914 // JVNDB: JVNDB-2022-016740 // CNNVD: CNNVD-202208-2131

EXTERNAL IDS

db:NVDid:CVE-2022-20914

Trust: 3.4

db:JVNDBid:JVNDB-2022-016740

Trust: 0.8

db:CNNVDid:CNNVD-202208-2131

Trust: 0.7

db:AUSCERTid:ESB-2022.3836

Trust: 0.6

db:VULHUBid:VHN-405467

Trust: 0.1

db:VULMONid:CVE-2022-20914

Trust: 0.1

sources: VULHUB: VHN-405467 // VULMON: CVE-2022-20914 // JVNDB: JVNDB-2022-016740 // CNNVD: CNNVD-202208-2131 // NVD: CVE-2022-20914

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-pwd-wh64ahqf

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-20914

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-20914/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3836

Trust: 0.6

sources: VULHUB: VHN-405467 // VULMON: CVE-2022-20914 // JVNDB: JVNDB-2022-016740 // CNNVD: CNNVD-202208-2131 // NVD: CVE-2022-20914

SOURCES

db:VULHUBid:VHN-405467
db:VULMONid:CVE-2022-20914
db:JVNDBid:JVNDB-2022-016740
db:CNNVDid:CNNVD-202208-2131
db:NVDid:CVE-2022-20914

LAST UPDATE DATE

2024-08-14T15:21:40.601000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405467date:2022-08-12T00:00:00
db:JVNDBid:JVNDB-2022-016740date:2023-10-06T05:08:00
db:CNNVDid:CNNVD-202208-2131date:2022-08-15T00:00:00
db:NVDid:CVE-2022-20914date:2023-11-07T03:43:18.860

SOURCES RELEASE DATE

db:VULHUBid:VHN-405467date:2022-08-10T00:00:00
db:JVNDBid:JVNDB-2022-016740date:2023-10-06T00:00:00
db:CNNVDid:CNNVD-202208-2131date:2022-08-03T00:00:00
db:NVDid:CVE-2022-20914date:2022-08-10T09:15:08.760