Details of VAR-202210-0343

ID

VAR-202210-0343

CVE

CVE-2022-20939

TITLE

Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-87605

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to inadequate protection of sensitive user information. An attacker could exploit this vulnerability by accessing certain logs on an affected system. A successful exploit could allow the attacker to use the obtained information to elevate privileges to System Admin.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Cisco Smart Software Manager On-Prem (SSM On-Prem) is a Cisco product license management component of Cisco. There is a privilege escalation vulnerability in Cisco Smart Software Manager On-Prem 8-202206. This advisory is available at the following link:sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-SEjz69dv

Trust: 1.53

sources: NVD: CVE-2022-20939 // CNVD: CNVD-2022-87605 // VULMON: CVE-2022-20939

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-87605

AFFECTED PRODUCTS

vendor:

cisco

model:

smart software manager on-prem

scope:

version:

8-202206

Trust: 0.6

sources: CNVD: CNVD-2022-87605

CVSS

SEVERITY

CVSSV2

CVSSV3

ykramarz@cisco.com:	CVE-2022-20939
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2022-87605
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202210-180
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2022-87605
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ykramarz@cisco.com:	CVE-2022-20939
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-87605 // CNNVD: CNNVD-202210-180 // NVD: CVE-2022-20939

PROBLEMTYPE DATA

problemtype:

CWE-922

Trust: 1.0

sources: NVD: CVE-2022-20939

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-180

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202210-180

PATCH

title:	Patch for Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/371471	Trust: 0.6
title:	Cisco Smart Software Manager On-Prem Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=209861	Trust: 0.6
title:	Cisco: Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-cssm-priv-esc-SEjz69dv	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: CNVD: CNVD-2022-87605 // VULMON: CVE-2022-20939 // CNNVD: CNNVD-202210-180

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20939	Trust: 2.3
db:	CNVD	id:	CNVD-2022-87605	Trust: 0.6
db:	CNNVD	id:	CNNVD-202210-180	Trust: 0.6
db:	VULMON	id:	CVE-2022-20939	Trust: 0.1

sources: CNVD: CNVD-2022-87605 // VULMON: CVE-2022-20939 // CNNVD: CNNVD-202210-180 // NVD: CVE-2022-20939

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cssm-priv-esc-sejz69dv	Trust: 1.2
url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cssm-priv-esc-sejz69dv	Trust: 1.1
url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-bw-thinrcpt-xss-gsj4cecu	Trust: 1.0
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: CNVD: CNVD-2022-87605 // VULMON: CVE-2022-20939 // CNNVD: CNNVD-202210-180 // NVD: CVE-2022-20939

SOURCES

db:	CNVD	id:	CNVD-2022-87605
db:	VULMON	id:	CVE-2022-20939
db:	CNNVD	id:	CNNVD-202210-180
db:	NVD	id:	CVE-2022-20939

LAST UPDATE DATE

2024-11-19T23:31:44.342000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-87605	date:	2022-12-14T00:00:00
db:	CNNVD	id:	CNNVD-202210-180	date:	2022-10-09T00:00:00
db:	NVD	id:	CVE-2022-20939	date:	2024-11-18T17:11:56.587

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-87605	date:	2022-12-14T00:00:00
db:	CNNVD	id:	CNNVD-202210-180	date:	2022-10-05T00:00:00
db:	NVD	id:	CVE-2022-20939	date:	2024-11-15T16:15:24.200