Details of VAR-202211-0372

ID

VAR-202211-0372

CVE

CVE-2022-20937

TITLE

Cisco Systems Cisco Identity Services Engine (ISE) Resource exhaustion vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-022871

DESCRIPTION

A vulnerability in a feature that monitors RADIUS requests on Cisco Identity Services Engine (ISE) Software could allow an unauthenticated, remote attacker to negatively affect the performance of an affected device. This vulnerability is due to insufficient management of system resources. An attacker could exploit this vulnerability by taking actions that cause Cisco ISE Software to receive specific RADIUS traffic. A successful and sustained exploit of this vulnerability could allow the attacker to cause reduced performance of the affected device, resulting in significant delays to RADIUS authentications. There are workarounds that address this vulnerability. Cisco Systems Cisco Identity Services Engine (ISE) Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-20937 // JVNDB: JVNDB-2022-022871 // VULHUB: VHN-405490

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	lt	version:	2.7.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.0.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	eq	version:	2.7.0	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	eq	version:	3.1	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	eq	version:	3.0.0	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-022871 // NVD: CVE-2022-20937

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20937
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20937
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-20937
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202211-2104
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2022-20937
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 2.0
NVD:	CVE-2022-20937
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-022871 // CNNVD: CNNVD-202211-2104 // NVD: CVE-2022-20937 // NVD: CVE-2022-20937

PROBLEMTYPE DATA

problemtype:	CWE-400	Trust: 1.1
problemtype:	CWE-410	Trust: 1.0
problemtype:	Resource exhaustion (CWE-400) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-405490 // JVNDB: JVNDB-2022-022871 // NVD: CVE-2022-20937

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-2104

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202211-2104

PATCH

title:	cisco-sa-ise-sec-atk-dos-zw5RCUYp	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-sec-atk-dos-zw5RCUYp	Trust: 0.8
title:	Cisco Identity Services Engine Remediation of resource management error vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=213289	Trust: 0.6

sources: JVNDB: JVNDB-2022-022871 // CNNVD: CNNVD-202211-2104

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20937	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-022871	Trust: 0.8
db:	CNNVD	id:	CNNVD-202211-2104	Trust: 0.6
db:	VULHUB	id:	VHN-405490	Trust: 0.1

sources: VULHUB: VHN-405490 // JVNDB: JVNDB-2022-022871 // CNNVD: CNNVD-202211-2104 // NVD: CVE-2022-20937

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-sec-atk-dos-zw5rcuyp	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20937	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-sec-atk-dos-zw5rcuyp	Trust: 0.7
url:	https://cxsecurity.com/cveshow/cve-2022-20937/	Trust: 0.6

sources: VULHUB: VHN-405490 // JVNDB: JVNDB-2022-022871 // CNNVD: CNNVD-202211-2104 // NVD: CVE-2022-20937

SOURCES

db:	VULHUB	id:	VHN-405490
db:	JVNDB	id:	JVNDB-2022-022871
db:	CNNVD	id:	CNNVD-202211-2104
db:	NVD	id:	CVE-2022-20937

LAST UPDATE DATE

2024-08-14T14:55:09.448000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405490	date:	2022-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2022-022871	date:	2023-11-21T03:30:00
db:	CNNVD	id:	CNNVD-202211-2104	date:	2022-11-08T00:00:00
db:	NVD	id:	CVE-2022-20937	date:	2024-01-25T17:15:20.310

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405490	date:	2022-11-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-022871	date:	2023-11-21T00:00:00
db:	CNNVD	id:	CNNVD-202211-2104	date:	2022-11-04T00:00:00
db:	NVD	id:	CVE-2022-20937	date:	2022-11-04T18:15:11.040