ID

VAR-202208-0350


CVE

CVE-2022-20816


TITLE

Cisco Unified Communications Manager  and  Cisco Unified Communications Manager Session Management Edition  Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-016752

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to delete arbitrary files from an affected system. This vulnerability exists because the affected software does not properly validate HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker to delete arbitrary files from the affected system. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-file-delete-N2VPmOnE

Trust: 1.8

sources: NVD: CVE-2022-20816 // JVNDB: JVNDB-2022-016752 // VULHUB: VHN-405369 // VULMON: CVE-2022-20816

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:gteversion:11.5\(1\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:ltversion:14su2

Trust: 1.0

vendor:シスコシステムズmodel:cisco unified communications managerscope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified communications managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-016752 // NVD: CVE-2022-20816

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20816
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20816
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20816
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202208-2129
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-20816
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20816
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-20816
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-016752 // CNNVD: CNNVD-202208-2129 // NVD: CVE-2022-20816 // NVD: CVE-2022-20816

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.1

problemtype:Path traversal (CWE-22) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405369 // JVNDB: JVNDB-2022-016752 // NVD: CVE-2022-20816

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202208-2129

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202208-2129

PATCH

title:cisco-sa-cucm-file-delete-N2VPmOnEurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-file-delete-N2VPmOnE

Trust: 0.8

title:Cisco Unified Communications Manager Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=204184

Trust: 0.6

title:Cisco: Cisco Unified Communications Manager Arbitrary File Deletion Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-cucm-file-delete-N2VPmOnE

Trust: 0.1

sources: VULMON: CVE-2022-20816 // JVNDB: JVNDB-2022-016752 // CNNVD: CNNVD-202208-2129

EXTERNAL IDS

db:NVDid:CVE-2022-20816

Trust: 3.4

db:JVNDBid:JVNDB-2022-016752

Trust: 0.8

db:CNNVDid:CNNVD-202208-2129

Trust: 0.7

db:AUSCERTid:ESB-2022.3826

Trust: 0.6

db:VULHUBid:VHN-405369

Trust: 0.1

db:VULMONid:CVE-2022-20816

Trust: 0.1

sources: VULHUB: VHN-405369 // VULMON: CVE-2022-20816 // JVNDB: JVNDB-2022-016752 // CNNVD: CNNVD-202208-2129 // NVD: CVE-2022-20816

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cucm-file-delete-n2vpmone

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-20816

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2022.3826

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-20816/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-communications-manager-file-deletion-via-http-request-38992

Trust: 0.6

sources: VULHUB: VHN-405369 // VULMON: CVE-2022-20816 // JVNDB: JVNDB-2022-016752 // CNNVD: CNNVD-202208-2129 // NVD: CVE-2022-20816

SOURCES

db:VULHUBid:VHN-405369
db:VULMONid:CVE-2022-20816
db:JVNDBid:JVNDB-2022-016752
db:CNNVDid:CNNVD-202208-2129
db:NVDid:CVE-2022-20816

LAST UPDATE DATE

2024-08-14T15:37:29.467000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405369date:2022-08-12T00:00:00
db:JVNDBid:JVNDB-2022-016752date:2023-10-06T06:33:00
db:CNNVDid:CNNVD-202208-2129date:2022-08-15T00:00:00
db:NVDid:CVE-2022-20816date:2023-11-07T03:43:01.880

SOURCES RELEASE DATE

db:VULHUBid:VHN-405369date:2022-08-10T00:00:00
db:JVNDBid:JVNDB-2022-016752date:2023-10-06T00:00:00
db:CNNVDid:CNNVD-202208-2129date:2022-08-03T00:00:00
db:NVDid:CVE-2022-20816date:2022-08-10T09:15:08.410