Sign-up

ID

VAR-202209-1949


CVE

CVE-2022-20850


TITLE

Input validation vulnerability in multiple Cisco Systems products

Trust: 0.8

sources: JVNDB: JVNDB-2022-018763

DESCRIPTION

A vulnerability in the CLI of stand-alone Cisco IOS XE SD-WAN Software and Cisco SD-WAN Software could allow an authenticated, local attacker to delete arbitrary files from the file system of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary file path information when using commands in the CLI of an affected device. A successful exploit could allow the attacker to delete arbitrary files from the file system of the affected device. Cisco SD-WAN vBond Orchestrator , Cisco SD-WAN vManage , Cisco SD-WAN vSmart Controller A number of Cisco Systems products, including vulnerabilities related to input validation, exist.Information is tampered with and service operation is interrupted (DoS) It may be in a state. Both Cisco IOS XE SD-WAN Software and Cisco SD-WAN are products of Cisco. Cisco IOS XE SD-WAN Software is a software for network management (software-defined networking) applied to the Cisco IOS XE network operating system. Cisco SD-WAN is a highly secure cloud-scale architecture that is open, programmable, and scalable

Trust: 1.8

sources: NVD: CVE-2022-20850 // JVNDB: JVNDB-2022-018763 // VULHUB: VHN-405403 // VULMON: CVE-2022-20850

AFFECTED PRODUCTS

vendor:ciscomodel:sd-wan vsmart controllerscope:ltversion:18.4.5

Trust: 1.0

vendor:ciscomodel:sd-wan vbond orchestratorscope:ltversion:18.4.5

Trust: 1.0

vendor:ciscomodel:sd-wanscope:ltversion:18.4.5

Trust: 1.0

vendor:ciscomodel:ios xe sd-wanscope:ltversion:16.10.1

Trust: 1.0

vendor:ciscomodel:sd-wan vmanagescope:ltversion:18.4.5

Trust: 1.0

vendor:シスコシステムズmodel:cisco sd-wan vmanagescope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco sd-wan vsmart controllerscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco ios xe sd-wanscope:eqversion:16.10.1

Trust: 0.8

vendor:シスコシステムズmodel:cisco sd-wan vbond orchestratorscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco sd-wanscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-018763 // NVD: CVE-2022-20850

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20850
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20850
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20850
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202209-2888
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-20850
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.2
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20850
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-20850
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-018763 // CNNVD: CNNVD-202209-2888 // NVD: CVE-2022-20850 // NVD: CVE-2022-20850

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.1

problemtype:CWE-22

Trust: 1.0

problemtype:Inappropriate input confirmation (CWE-20) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405403 // JVNDB: JVNDB-2022-018763 // NVD: CVE-2022-20850

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202209-2888

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202209-2888

PATCH

title:cisco-sa-arb-file-delete-VB2rVcQvurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-arb-file-delete-VB2rVcQv

Trust: 0.8

title:Cisco IOS XE SD-WAN Software and Cisco SD-WAN Enter the fix for the verification error vulnerabilityurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=209692

Trust: 0.6

title:Cisco: Cisco SD-WAN Arbitrary File Deletion Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-arb-file-delete-VB2rVcQv

Trust: 0.1

sources: VULMON: CVE-2022-20850 // JVNDB: JVNDB-2022-018763 // CNNVD: CNNVD-202209-2888

EXTERNAL IDS

db:NVDid:CVE-2022-20850

Trust: 3.4

db:JVNDBid:JVNDB-2022-018763

Trust: 0.8

db:CNNVDid:CNNVD-202209-2888

Trust: 0.7

db:AUSCERTid:ESB-2022.4842

Trust: 0.6

db:VULHUBid:VHN-405403

Trust: 0.1

db:VULMONid:CVE-2022-20850

Trust: 0.1

sources: VULHUB: VHN-405403 // VULMON: CVE-2022-20850 // JVNDB: JVNDB-2022-018763 // CNNVD: CNNVD-202209-2888 // NVD: CVE-2022-20850

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-arb-file-delete-vb2rvcqv

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-20850

Trust: 0.8

url:https://vigilance.fr/vulnerability/cisco-sd-wan-software-sd-wan-vedge-routers-file-deletion-39410

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-20850/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4842

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-405403 // VULMON: CVE-2022-20850 // JVNDB: JVNDB-2022-018763 // CNNVD: CNNVD-202209-2888 // NVD: CVE-2022-20850

SOURCES

db:VULHUBid:VHN-405403
db:VULMONid:CVE-2022-20850
db:JVNDBid:JVNDB-2022-018763
db:CNNVDid:CNNVD-202209-2888
db:NVDid:CVE-2022-20850

LAST UPDATE DATE

2024-08-14T15:06:07.426000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405403date:2022-10-05T00:00:00
db:VULMONid:CVE-2022-20850date:2022-09-30T00:00:00
db:JVNDBid:JVNDB-2022-018763date:2023-10-23T07:26:00
db:CNNVDid:CNNVD-202209-2888date:2022-10-08T00:00:00
db:NVDid:CVE-2022-20850date:2023-11-07T03:43:07.130

SOURCES RELEASE DATE

db:VULHUBid:VHN-405403date:2022-09-30T00:00:00
db:VULMONid:CVE-2022-20850date:2022-09-30T00:00:00
db:JVNDBid:JVNDB-2022-018763date:2023-10-23T00:00:00
db:CNNVDid:CNNVD-202209-2888date:2022-09-28T00:00:00
db:NVDid:CVE-2022-20850date:2022-09-30T19:15:12.543